RE: a compromised machine

To: "Nejc Novak" <nejc@soncek.biz>
Cc: <debian-security@lists.debian.org>
Subject: RE: a compromised machine
From: "Simon Allard" <simon.allard@staff.ihug.co.nz>
Date: Wed, 27 Jul 2005 10:39:00 +1200
Message-id: <[🔎] 33901A251D10AD408210A9E82B4CA03C036A54@isp-ak-exch01.win2k.iinet.net.au>

Kernel root kits are very good at hiding themselves when they are
running.

Best way is to mount the had drive in another box as /mnt or something
and run chkrootkit over it and also md5sum known hacked binaries like ls
etc.

 
> OK :)
> 
> So, for now i killed this process, disabled the cronjob and killed web
> server - there is now way the attacker is capable of coming back into
> server or is there a chance that there is another backdoor installed
> somewhere (chkrootkit doesn't find anything).
> 
> Nejc
> 
> Marcin Owsiany wrote:
> 
> >On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote:
> >
> >
> >>On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote:
> >>
> >>
> >>>Can you get any information out of this cron file? I tried creating
the
> >>>same exec that this file creats, but obiously i was doing sth wrong
:)
> >>>
> >>>
> >>The crontab writes out a binary file and executes it.  I straced the
> >>binary on a virtual machine with no network.
> >>
> >>It's attempting to connect to two different hosts:
> >>
> >>210.169.91.66:5454
> >>
> >>
> >
> >This is an IRC server. The program seems to be an IRC zombie.
> >
> >Marcin
> >
> >
> 
> 
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Reply to:

Prev by Date: Re: a compromised machine
Next by Date: Re: Please announce current lack of security support
Previous by thread: Re: a compromised machine
Next by thread: a compromised maschine
Index(es):
- Date
- Thread