[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] are these worm files?

Someone should write an ethical worm that breaks into the system, secures it then leaves !

Gossi, are you up for it? :)

*********** REPLY SEPARATOR  ***********

On 26/03/2001 at 08:41 Tsukaeru.net wrote:

>I hade the same rootpack installed previously. And...finally lost root
>access and had to reinstall the OS. As far as I know this attack is usually
>through DNS..(Bind?) Do you have this running on your server?
>
>Jason Frisch
>
>----- Original Message -----
>From: "Gossi The Dog" <gossi@xxxxxxxxxxxxxx>
>To: <cobalt-security@xxxxxxxxxxxxxxx>
>Sent: Monday, March 26, 2001 7:40 AM
>Subject: Re: [cobalt-security] are these worm files?
>
>
>>
>>
>> On Sat, 24 Mar 2001, Loryan Strant wrote:
>>
>> > Hi,
>> >
>> > I've just run Lionfind on my Cobalt RaQ4, and it says the following are
>> > suspicious files:
>> >
>> > /usr/src/.puta/.1addr /usr/src/.puta/.1file /usr/src/.puta/.1proc
>> > /usr/src/.puta/.1logz /usr/src/.puta/ /usr/src/.puta/ /usr/info/.t0rn/
>> >
>> > I find those a little odd too, so I'm wondering if I can delete this
>whole
>> > directory.
>> > Does anyone have any suggestions?
>> >
>>
>> T0rn rootkit.  That box is owned.  Either spend a loooot of time
>> reinstalling binaries and cleaning up files, or reinstall the box.
>>
>> Either way, if you just sit on it you are asking for trouble.
>>
>>
>> _______________________________________________
>> cobalt-security mailing list
>> cobalt-security@xxxxxxxxxxxxxxx
>> http://list.cobalt.com/mailman/listinfo/cobalt-security
>>
>
>_______________________________________________
>cobalt-security mailing list
>cobalt-security@xxxxxxxxxxxxxxx
>http://list.cobalt.com/mailman/listinfo/cobalt-security

M