[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] mdump rpc.rusers -- hacked

Subject: [cobalt-users] mdump rpc.rusers -- hacked
From: "Filiberto Ricci" <filiberto@xxxxxxxxx>
Date: Wed Feb 21 09:40:18 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

Hi!

Sorry if I repost this but I sent this the first time this early morning and
I havent still seen it on the list.
Did it get lost?
Anyvay it's very important for me.


I found strange things so I investigete a bit...

there was some port 57 displayed by netstat -nea ad
by pidport (a perl script that scan ports)
See my previous post.

I installed the chkrootkit and i got


PID   437: not in ps output
PID 10109: not in ps output
PID 10145: not in ps output
PID 19674: not in ps output
PID 19677: not in ps output
You have     5 process hidden for ps command
Possible LKM Troian

Then I checked this:
rpm -V net-tools-1.57-C1
..5.... /bin/netstat
I think it a checksum error (even if as a newbie I don't really understood
what it means)

So I reinstalled the
net-tools-1.57-C1.i386.rpm
and now the checksum is ok

Then I Kill -9 all the hidden PID, but two of them act as to be my telnet
connection (one for admin and one for su):
if I kill them I the connection fell and every time that I connect there are
again that two  hidden processes displayed by chkrootkit.
It seem that when I connect I open two connection (whose one hidden) insted
then one.

Then some of such a hidden PID were displayed by top:
/sbin/mdump and
/usr/sbin/rpc.rusers
I could see them with the find  command , but not if I list the directory as
root
they are hidden.
ls -alg doen't display them.

Now it seem they don't start anymore
what are them?

The port 57 is no more signaled by pidport or by netstat -nea.

I made a (very boring)
rpm -V an all the rpm installed and I found  lots of errors.
So now I'm going to reinstali rpm, but as a newbie I'm not sure about which
order should I do it.

Processes in ps aux are going on with being displayed by user.

inetd.conf seems to be normal.

The server is working fine: I can normally connect with ftp, telnet, ecc.

what to do?
Should I erase those mdump and rpc.rusers?
How can I stop coming up those two hidden processes too?
If there are other hidden files in the system how to find them?


Thanks in advance,
Filiberto

Prev by Date: Re: [cobalt-security] [cobalt-users] RAQ2 Bind 8.2.3 patch won't install
Next by Date: RE: [cobalt-security] [cobalt-users] RAQ2 Bind 8.2.3 patch won't install
Previous by thread: [cobalt-users] mdump rpc.rusers -- hacked
Next by thread: [cobalt-users] Hacked - Help Please - URGENT

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index