Re: a compromised machine

To: Marcin Owsiany <porridge@debian.org>
Cc: debian-security@lists.debian.org
Subject: Re: a compromised machine
From: Nejc Novak <nejc@soncek.biz>
Date: Wed, 27 Jul 2005 00:36:23 +0200
Message-id: <[🔎] 42E6BAE7.4020900@soncek.biz>
In-reply-to: <[🔎] 20050726223219.GA1200@kufelek>
References: <[🔎] D0B6C1BAE46CD711B8E70048545A2AC90C9222@serveur2.tg.lan> <[🔎] 42E696EC.6050006@soncek.biz> <[🔎] 20050726203919.GA9459@peaches-en-regalia> <[🔎] 20050726223219.GA1200@kufelek>

OK :)

So, for now i killed this process, disabled the cronjob and killed webserver - there is now way the attacker is capable of coming back intoserver or is there a chance that there is another backdoor installedsomewhere (chkrootkit doesn't find anything).


Nejc

Marcin Owsiany wrote:

On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote:

On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote:
Can you get any information out of this cron file? I tried creating thesame exec that this file creats, but obiously i was doing sth wrong :)
The crontab writes out a binary file and executes it.  I straced the
binary on a virtual machine with no network.

It's attempting to connect to two different hosts:

210.169.91.66:5454


This is an IRC server. The program seems to be an IRC zombie.

Marcin

Reply to:

Follow-Ups:
- Re: a compromised machine
  - From: Davide Prina <davide.prina@gmail.com>

References:
- RE: a compromised machine
  - From: Mathieu JANIN <Matt@tgcaen.dyndns.biz>
- Re: a compromised machine
  - From: Nejc Novak <nejc@soncek.biz>
- Re: a compromised machine
  - From: Edward Faulkner <ef@alum.mit.edu>
- Re: a compromised machine
  - From: Marcin Owsiany <porridge@debian.org>

Prev by Date: Re: a compromised machine
Next by Date: RE: a compromised machine
Previous by thread: Re: a compromised machine
Next by thread: Re: a compromised machine
Index(es):
- Date
- Thread