[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] One weird HaQ... have you seen this..

Subject: [cobalt-security] One weird HaQ... have you seen this..
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Mon, 11 Feb 2002 10:57:57 -0800
Organization: nobaloney.net
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Here are the symptoms...

from chkrootkit:

  Checking `lkm'... You have     1 process hidden for ps command
  Warning: Possible LKM Trojan installed

And really weird... from the "locate" command...

  [root /home]# locate crypto
  /home/susr/doc/python-docs-1.5.2/Doc/libcrypto.tex

Now we know this should be:

  [root /home]# locate crypto
  /usr/doc/python-docs-1.5.2/Doc/libcrypto.tex

and in fact the file is where it's supposed to be.

When we first saw this we thought we were lucky; that we'd found the
hacker because the slocate update was running at the moment he was
hacking, and we started looking at those files... until we realized
locate returned something weird like this for EVERY file on the box that
didn't already start with /home/s

Here's the scenario...

We restore the box.  It's good.

We restore the sites (CMU).  Good.

The next day it has the symptoms again.

Any help/ideas/requests for consulting work <smile> greatfully
appreciated.

Jeff
-- 
Jeff Lasman <jblists@xxxxxxxxxxxxx>
Linux and Cobalt/Sun/RaQ Consulting
nobaloney.net
P. O. Box 52672, Riverside, CA  92517
voice: (909) 778-9980  *  fax: (702) 548-9484

Prev by Date: [cobalt-security] Beyond me... RaQ Security Consultant needed
Next by Date: [cobalt-security] CMU Security problem [ /etc/shadow permissions ]
Previous by thread: Re: [cobalt-security] Beyond me... RaQ Security Consultant needed
Next by thread: Re: [cobalt-security] One weird HaQ... have you seen this..

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index