A friend of mine was reviewing her daily LogWatch reports and noted that there was a strange entry. The file was "/tmp/.c" and the full entry was
User root:
/tmp/.c 203.130.232.110 62282: 1 Time(s)That seems like an address in Indonesia.
When she ran "strings" against it, it had the following strings
/lib/ld-linux.so.2 __gmon_start__ libc.so.6 strcpy connect getenv __strtol_internal execve dup2 sleep socket bzero __deregister_frame_info wait fork memset gethostbyname exit _IO_stdin_used __libc_start_main setuid __register_frame_info close GLIBC_2.0 PTRh@ 8(t1@8(t,@8(t'@ 8(t1@8(t,@8(t'@ /usr/sbin/named SHELL /bin/sh
Anyone have any idea what got on her system? She is running Red Hat 8 and is fully patched as can be. She also ran "chkrootkit" - the latest build recompiled on anther system - and it didn't find any rootkits.
Thanks!
Cheers, Mike
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
