Security Incidents: Re: New Rootkit?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: New Rootkit?

From: Jeffrey Denton <dentonj () c2i2 com>
Date: Thu, 16 Oct 2003 12:19:38 -0700 (MST)

$ strings server

. . .
200.241.173.21
Must be ran as root.
socket
bind
setsockopt
newserver
stream
ping
pong
fork
Forked into background, pid %d
./at 0 %s 1 65535 1 %d 1>/dev/null 2>/dev/null
server.c
/usr/.xmag/mstream/
. . .


http://staff.washington.edu/dittrich/misc/mstream.analysis.txt

The strings fingerprint is similar.  You may want to look at what else
is in the /usr/.xmag directory.


dentonj

---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_incidents_031015
----------------------------------------------------------------------------

By Date By Thread

Current thread:

New Rootkit? Frey (Probe Networks) (Oct 16)
- Re: New Rootkit? Thorsten Holz (Oct 16)
- Re: New Rootkit? Eoghan Casey (Oct 16)
  - Re: New Rootkit? Alvin Wong (Oct 17)
    - Re: New Rootkit? Russell Harding (Oct 19)
- Re: New Rootkit? Jeffrey Denton (Oct 16)