Re: [cobalt-users] CHkrootkit output

["Ted" <ted@xxxxxxxxxxxxxxx>]

sounds like a Trojan of some sorts.
Can you see it running in top?




----- Original Message ----- 
From: "PageKeeper Service" <host@xxxxxxxxxxxxxxxxxxxxx>
To: <cobalt-users@xxxxxxxxxxxxxxx>
Sent: Sunday, April 18, 2004 10:57 AM
Subject: Re: [cobalt-users] CHkrootkit output


> Subject: Re: [cobalt-users] CHkrootkit output
>
>
> > >
> > > I believe that machine has been hacked. Is cron doing weird stuff?
Other
> > > processes like devine?
> >
> >
> > And you conclusion is based on ??
> Seeing it first hand. Some notes..
> Cron will work. Tuning it off is the problem, a process called devine
> will popup usually once a day and stay running. Its nasty. Believe it can
> sniff the username and pw of clients
> isp logins besides the system passwords. They used a wget from the server
to
> download it from a free isp in europe.
> They entered through a script called phpnuke one time and cgi (forgot the
> name) on another raq4. Other than those
> notes it ran fine. It also searches files for cc numbers, email addresses
> and any ftp user connections from any scripts.
> Once I saw that, it went offline. A reboot usually starts the ball rolling
> if I remember right,
> then clients can be locked out of shell and ftp along with the admin. mods
> to the hosts.deny and allow files.
>
> > Cron is fully operational and normail.
> >
> > No strange processess
>
>   David Hahn
>   PageKeeper Service
>   1512 Deborah Road #102
>   Rio Rancho, New Mexico 87124 US
>   505-892-8723
>   http://www.pagekeeperservice.com
>
>
> _____________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To subscribe/unsubscribe, or to SEARCH THE ARCHIVES, go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>
>