Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Possible break in
From: ben <ben () electricfork com>
Date: Mon, 22 Mar 2004 10:57:09 -0500
Just ran strings against the two files. dbproc looks like a version of the suckit rootkit, gnorp didn't look familar to me. I'd check the timestamps on the two files and do a find on your system for files that have been written to your filesystem since that date. then look closer at any said files, and logs generated durring that time. 

-Ben
On Mar 22, 2004, at 10:31 AM, Alexandros Kyriakides wrote:



I am wondering if anyone can give me some help with this incident. The
only related thing I found on-line was this:

http://www.taclug.org/pipermail/taclug-general/2003-July/007821.html
The box I have is running linux mandrake 8.0. What I have found until now 
is the following:


1) Two new binary files:

/usr/bin/dbproc
/usr/bin/gnorp



2) Appended at the end of inittab and rc.local:

inittab:
a:2345:once:/usr/bin/dbproc
a:2345:once:/bin/end

rc.local:
#Starting gnorp
/usr/bin/gnorp
#The End
/bin/end


3) lsattr gives:

suS-iadAcj--- /etc/inittab
suS-iadAcj--- /etc/rc.local
Has anyone seen this before? I am also interested in finding out how this 
happened, if possible. Any help is greatly appreciated.


The two binary files can be found at:

http://web.mit.edu/alex1/www/binaries/
----------------------------------------------------------------------- ---- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, 
wireless security
Protect your network against hackers, viruses, spam and other risks with Astaro 
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of 
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040301
----------------------------------------------------------------------- ----- 




---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.
Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040301 
----------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]