RE: strange executable found in cron report - attaching to 203.130.232.110

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Well, let's see... there's a hidden executable in your /tmp directory,
where people never look anyway. The executable opens a socket to an
address in Indonesia and apparently binds a shell to it. And you're
wondering what's on your system? :-)


	-----Original Message-----
	From:	Mike Pelley [SMTP:mike@xxxxxxxxxxx]
	Sent:	Friday, November 28, 2003 2:29 AM
	To:	redhat-list
	Subject:	strange executable found in cron report  -
attaching to 203.130.232.110

	Folks,

	A friend of mine was reviewing her daily LogWatch reports and
noted that 
	there was a strange entry.  The file was "/tmp/.c" and the full
entry was

	   User root:
	      /tmp/.c 203.130.232.110 62282: 1 Time(s)

	That seems like an address in Indonesia.

	When she ran "strings" against it, it had the following strings

	/lib/ld-linux.so.2
	__gmon_start__
	libc.so.6
	strcpy
	connect
	getenv
	__strtol_internal
	execve
	dup2
	sleep
	socket
	bzero
	__deregister_frame_info
	wait
	fork
	memset
	gethostbyname
	exit
	_IO_stdin_used
	__libc_start_main
	setuid
	__register_frame_info
	close
	GLIBC_2.0
	PTRh@
	8(t1@8(t,@8(t'@
	8(t1@8(t,@8(t'@
	/usr/sbin/named
	SHELL
	/bin/sh

	Anyone have any idea what got on her system?  She is running Red
Hat 8 
	and is fully patched as can be.  She also ran "chkrootkit" - the
latest 
	build recompiled on anther system - and it didn't find any
rootkits.

	Thanks!

	Cheers,
	Mike


	-- 
	redhat-list mailing list
	unsubscribe
mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
	https://www.redhat.com/mailman/listinfo/redhat-list


DISCLAIMER: This e-mail is intended solely for the above-mentioned recipient and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at 775-885-2211 and delete the e-mail. You must not copy, distribute, disclose or take any action in reliance on it. 

This e-mail message and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.


-- 
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux