Re: [cobalt-users] kofa\r and kofif\r in base directory.

[flash22@xxxxxxx]

On Sat, 24 Feb 2001, Jim Hagani wrote:
[snip]
> Just wanted to thank you personally.
> 
> My system was hacked last week, and I had the ISP do a complete restore, I
> installed all teh latest upgrades and even portsentry and logcheck. Not even
> a week, and here they are again. I can not afford another OS restore, so I
> have to do it myself.
> 
> For your info, the files showed as kofa\r and kofif\r and I could not delete
> them that way
> rm kofa\\r did not work, I figured out the actual file names are kofa? and
> Kofif?, why they show that way, don't know. I found another instance of

because they had real newline sembedded in the names, slightly nastier...

> these files at /proc/1020. deleted those also. chkrootkit does not show
> anything wrong.

um..you deleted a file in /proc successfully? that's interesting....

type mount , make sure /proc shown up there

> 
> But still when I reboot, sshd puts the listener on port 22, they have to be
> somewhere else.
> I will go from one directory to another, pico every file until I find them.

How do you know pico is safe? lol

Let the machine help you

/usr/sbin/fuser 22/tcp

will give you a process # for that sshd, and ps e #
will give you it's location

You need to be root to use fuser, and if ps says there's no such process
you probably have a replaced ps (however if you have a faked /proc ps
won't work right)

Starting to see how twisted this gets? 

> I will appreciate any pointers on this quest.

You need to port scan that machine asap and make sure it has no really
open holes...and look at all the cron jobs, you have a heck of a project
in store -)

> The good part is: I am learning a lot!
The bad part is the hackers learn faster...
They have nothing better to do than think up new tricks...

gsh