[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-security] are these worm files?

Subject: RE: [cobalt-security] are these worm files?
From: "Soda, Marc" <Msoda@xxxxxxxxx>
Date: Fri, 23 Mar 2001 22:23:39 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yes, those files are from the Lion Worm.  My company has been dealing
with this for sometime now.  The t0rn files are from the rootkit that
Lion uses.  While you can delete the .puta directory, my best advice
would be to reinstall the box.  There could be things that have been
compromised that are nearly impossible to detect.  Bottom line is,
you can't trust that box no matter how hard you try to scrub it
clean.

Good luck,

Marc Soda
ASPRE, Inc.
marc@xxxxxxxxx
http://www.aspre.net/

Managed e-Business Application Services
- ---------------------------------
t. 215.957.2266 Ext. 2144
f. 215.957.2277
c.215.840.1633

113 Rock Road
Horsham, PA 19044



- -----Original Message-----
From: Loryan Strant [mailto:cobalt-security@xxxxxxxxxx]
Sent: Friday, March 23, 2001 7:42 PM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] are these worm files?


Hi,

I've just run Lionfind on my Cobalt RaQ4, and it says the following
are
suspicious files:

/usr/src/.puta/.1addr /usr/src/.puta/.1file /usr/src/.puta/.1proc
/usr/src/.puta/.1logz /usr/src/.puta/ /usr/src/.puta/
/usr/info/.t0rn/

I find those a little odd too, so I'm wondering if I can delete this
whole
directory.
Does anyone have any suggestions?

Thanks,

Loryan



*******************************************************************
Loryan Strant
IT Director
ExaSites Pty Ltd
Email://loryan@xxxxxxxxxx
Web://www.exa.com.au
Disclaimer:
Nothing in this correspondence:
	1.	should be interpreted as being legal advice;
	2.	shall be construed as a solicitation of any kind;
	3.	should be interpreted as a signature or mark that can create
a
legally
binding commercial relationship;
	4.	should be omitted in any fair use of this correspondence;
and
5.	is necessarily the opinion of ExaSites Pty Ltd


_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOrwTb/P6BjwhjEhIEQIX2wCg6eVTAolmzi3EAF0FBlT9w1oGgfYAoOBv
U+s3LX5+fpc0ve+ja98+eJ97
=77je
-----END PGP SIGNATURE-----

Prev by Date: [cobalt-security] are these worm files?
Next by Date: Re: [cobalt-security] are these worm files?
Previous by thread: Re: [cobalt-security] are these worm files?
Next by thread: [cobalt-security] Weird user on my SMTP

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index