|
Security Incidents
mailing list archives
Possible break in
From: Alexandros Kyriakides <alex1 () MIT EDU>
Date: Mon, 22 Mar 2004 10:31:16 -0500 (EST)
I am wondering if anyone can give me some help with this incident. The
only related thing I found on-line was this:
http://www.taclug.org/pipermail/taclug-general/2003-July/007821.html
The box I have is running linux mandrake 8.0. What I have found until now
is the following:
1) Two new binary files:
/usr/bin/dbproc
/usr/bin/gnorp
2) Appended at the end of inittab and rc.local:
inittab:
a:2345:once:/usr/bin/dbproc
a:2345:once:/bin/end
rc.local:
#Starting gnorp
/usr/bin/gnorp
#The End
/bin/end
3) lsattr gives:
suS-iadAcj--- /etc/inittab
suS-iadAcj--- /etc/rc.local
Has anyone seen this before? I am also interested in finding out how this
happened, if possible. Any help is greatly appreciated.
The two binary files can be found at:
http://web.mit.edu/alex1/www/binaries/
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------------
 By Date 
By Thread
Current thread:
- Possible break in Alexandros Kyriakides (Mar 22)
|
Intro
