[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] are these worm files?

Subject: Re: [cobalt-security] are these worm files?
From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
Date: Sun, 25 Mar 2001 23:40:39 +0100 (BST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Sat, 24 Mar 2001, Loryan Strant wrote:

> Hi,
>
> I've just run Lionfind on my Cobalt RaQ4, and it says the following are
> suspicious files:
>
> /usr/src/.puta/.1addr /usr/src/.puta/.1file /usr/src/.puta/.1proc
> /usr/src/.puta/.1logz /usr/src/.puta/ /usr/src/.puta/ /usr/info/.t0rn/
>
> I find those a little odd too, so I'm wondering if I can delete this whole
> directory.
> Does anyone have any suggestions?
>

T0rn rootkit.  That box is owned.  Either spend a loooot of time
reinstalling binaries and cleaning up files, or reinstall the box.

Either way, if you just sit on it you are asking for trouble.

Follow-Ups:
- Re: [cobalt-security] are these worm files?
  - From: Tsukaeru.net

References:
- [cobalt-security] are these worm files?
  - From: Loryan Strant

Prev by Date: Re: SV: [cobalt-security] Weird user on my SMTP
Next by Date: [cobalt-security] A reminder to sites running OpenSSH 2.2.0
Previous by thread: Re: [cobalt-security] are these worm files?
Next by thread: Re: [cobalt-security] are these worm files?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index