[1769] in linux-security and linux-alert archive
[linux-security] Re: Re: Bind Overrun Bug and Linux
daemon@ATHENA.MIT.EDU (The Nolander)
Fri May 22 16:54:55 1998
Date: Fri, 22 May 1998 19:17:47 +0200 (CEST)
From: The Nolander <nolander@krixor.xy.org>
In-reply-to: <3561D7BD.E63810FD@wisper.net>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
On Tue, 19 May 1998, Leigh Porter wrote:
> It seems that the purpotrator used ncftp to get a file called "hide" from various
> systems which no longer seem to have this. This file contained an archive of
> the trojan's that were inserted into the compromised system - does anybody know
> what is in these trojans?
Check the Linux RootKit ... (LRK)..
Typically LRK to use config-files.. (and typically LRK-users to place
files in /dev.. find /dev -type f | grep -v MAKEDEV.. examine results)
ps
ls
top
netstat
ifconfig
linsniff
login
I think those are the ones included in LRK..
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null