[1769] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Bind Overrun Bug and Linux

daemon@ATHENA.MIT.EDU (The Nolander)
Fri May 22 16:54:55 1998

Date: Fri, 22 May 1998 19:17:47 +0200 (CEST)
From: The Nolander <nolander@krixor.xy.org>
In-reply-to: <3561D7BD.E63810FD@wisper.net>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

On Tue, 19 May 1998, Leigh Porter wrote:

> It seems that the purpotrator used ncftp to get a file called "hide" from various
> systems which no longer seem to have this. This file contained an archive of
> the trojan's that were inserted into the compromised system - does anybody know
> what is in these trojans?

Check the Linux RootKit ... (LRK)..

Typically LRK to use config-files.. (and typically LRK-users to place
files in /dev.. find /dev -type f | grep -v MAKEDEV.. examine results)

ps
ls
top
netstat
ifconfig
linsniff
login

I think those are the ones included in LRK..

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post