Home page logo
/

basics logo Security Basics mailing list archives

Trojan found on Linux server
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Mon, 02 Jan 2006 16:31:12 -0500

After having a customer report that he had large amounts of outbound traffic from one of his Linux servers, I began to investigate and found a trojan.

The trojan had created a crontab for the "nobody" user (Apache was running as nobody and, while I did not take the time to verify I believe that Apache was probably the way the intruder got in) which, at 24 minutes after the hour, would write itself out to /tmp/ummtodkhk and then execute itself.

The /tmp/ummtodkhk file was packed with UPX. It has been unpacked and made available at http://www.jeremygaddis.com/files/ummtodkhk. It was submitted to VirusTotal, but nothing identified as anything known.

The results of `crontab -l -u nobody >> nobody.cron` are available at http://www.jeremygaddis.com/files/nobody.cron.

-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
LinuxWiz Consulting
http://www.linuxwiz.net/

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]