Yes, but has anyone seen anything similar? > Well, let's see... there's a hidden executable in your /tmp directory, > where people never look anyway. The executable opens a socket to an > address in Indonesia and apparently binds a shell to it. And you're > wondering what's on your system? :-) > > > -----Original Message----- > From: Mike Pelley [SMTP:mike@xxxxxxxxxxx] > Sent: Friday, November 28, 2003 2:29 AM > To: redhat-list > Subject: strange executable found in cron report - > attaching to 203.130.232.110 > > Folks, > > A friend of mine was reviewing her daily LogWatch reports and > noted that > there was a strange entry. The file was "/tmp/.c" and the full > entry was > > User root: > /tmp/.c 203.130.232.110 62282: 1 Time(s) > > That seems like an address in Indonesia. > > When she ran "strings" against it, it had the following strings > > /lib/ld-linux.so.2 > __gmon_start__ > libc.so.6 > strcpy > connect > getenv > __strtol_internal > execve > dup2 > sleep > socket > bzero > __deregister_frame_info > wait > fork > memset > gethostbyname > exit > _IO_stdin_used > __libc_start_main > setuid > __register_frame_info > close > GLIBC_2.0 > PTRh@ > 8(t1@8(t,@8(t'@ > 8(t1@8(t,@8(t'@ > /usr/sbin/named > SHELL > /bin/sh > > Anyone have any idea what got on her system? She is running Red > Hat 8 > and is fully patched as can be. She also ran "chkrootkit" - the > latest > build recompiled on anther system - and it didn't find any > rootkits. > > Thanks! > > Cheers, > Mike > > > -- > redhat-list mailing list > unsubscribe > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > > DISCLAIMER: This e-mail is intended solely for the above-mentioned > recipient and it may contain confidential or privileged information. If > you have received it in error, please notify us immediately at > 775-885-2211 and delete the e-mail. You must not copy, distribute, > disclose or take any action in reliance on it. > > This e-mail message and any attached files have been scanned for the > presence of computer viruses. However, you are advised that you open any > attachments at your own risk. > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
