Security Incidents mailing list archives

Re: .:: 14x :: Information :: New DDoS/Trojan ::.

From: rgg () SOLARIUM CS BUAP MX (Lic. Rodolfo Gonzalez Gonzalez)
Date: Thu, 15 Jun 2000 11:47:39 -0500


Hello,

Since several days ago I'm getting these  messages in a RedHat 6.1 box:

Jun 11 04:04:23 mail inetd[14085]: auth/tcp: bind: Address already in use
Jun 11 04:14:23 mail inetd[14085]: auth/tcp: bind: Address already in use

Since in.inetd is running (and nothing else sholud be binding that port),
I'm afraid that something is wrong here. Is this a kind of signature of
the trojan?.

Regards,
Rodolfo.

P.S. I also get the message when I restart inetd.

Current thread:

update on scans of tcp 12345 AUSCERT#36349 Russell Fulton (Jun 05)
- Re: update on scans of tcp 12345 AUSCERT#36349 Shaw Terwilliger (Jun 08)
- unknown trojan (attached) Jeremy L. Gaddis (Jun 08)
  - ** New DDoS / Trojan ** nine (Jun 10)
    - Re: ** New DDoS / Trojan ** Pierre Vandevenne (Jun 12)
  - Re: unknown trojan (attached) Brandon Kittler (Jun 10)
    - Re: unknown trojan (attached) Doug Kahler (Jun 12)
    - .:: 14x :: Information :: New DDoS/Trojan ::. Erik Tayler (Jun 13)
    - Re: .:: 14x :: Information :: New DDoS/Trojan ::. Lic. Rodolfo Gonzalez Gonzalez (Jun 15)
    - IRC connect through apache ???? arhuman () HOTMAIL COM (Jun 14)
    - Re: IRC connect through apache ???? Eric Vyncke (Jun 15)
- Re: update on scans of tcp 12345 AUSCERT#36349 orestes () DORIAN 2Y NET (Jun 08)
- Re: update on scans of tcp 12345 AUSCERT#36349 Keith Owens (Jun 08)
- <Possible follow-ups>
- Re: update on scans of tcp 12345 AUSCERT#36349 Bryan Scaringe (Jun 08)
- Re: update on scans of tcp 12345 AUSCERT#36349 Luke Dudney (Jun 10)