[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-users] Trinoo DDoS server in init
- Subject: RE: [cobalt-users] Trinoo DDoS server in init
- From: Reinoud van Leeuwen <rvanleeuwen@xxxxxxxxxxxx>
- Date: Sun Feb 25 22:30:02 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
> Great, thanks guys. I removed /usr/sbin/init and that solved
> that problem.
> However now I wonder from which script the /usr/sbin/init
> file was being
> called. I've gone through all the scripts in /etc/rc.d and can't find
> anything.
I gues you have not yet rebooted? :-)
init is the first binary that is started on any Unix system. It allways has
processID 1. I do not think yuor box will be able to boot next time until
you have put a correct init back...
> However I did notice the file dates on
> /etc/rc.d/init.d/tmpinit
> and arkeia have been changed. Does anyone have the correct
> copies of these
> files available? Lastly, all files in /lib/security have
> their file dates
> changed. Are the files in /lib/security part of an rpm or
> package I can
> download and reinstall?
>
> Ohh yeah, and I would like to second that notion of chopping
> their fingers
> off!
>
> Thanks again,
> Roger
>
> ----- Original Message -----
> From: "Tony" <isplists@xxxxxxxxxxxx>
> To: <cobalt-users@xxxxxxxxxxxxxxx>
> Sent: Thursday, February 15, 2001 7:47 PM
> Subject: RE: [cobalt-users] Trinoo DDoS server in init
>
>
> >
> > +> I was hacked a few days ago, and it looks as though my
> > +/usr/sbin/init file
> > +> has been replaced with a version containing a Trinoo DDoS
> > +server. The init
> > +> file /sbin/init appears untouched however. Is /sbin/init
> the same file
> as
> > +> /usr/sbin/init, or are they different. If they are
> different, could
> > +someone
> > +> possibly attach a clean version to an e-mail or put it
> up on a web site
> > +etc?
> > +>
> > +
> > +
> > +
> > +[root@www /root]# ls -l /usr/sbin/init
> > +ls: /usr/sbin/init: No such file or directory
> > +
> > +[root@www /root]# ls -l /sbin/init
> > +-rwxr-xr-x 1 root root 27176 Apr 25 2000 /sbin/init
> > +
> > +[root@www /root]# md5sum /sbin/init
> > +5a64a78a799ab2e0cc3c8a6f931ab2f4 /sbin/init <== could someone
> > +else verify?
> > +
> > +
> > +other md5 checksums here:
> > +
> >
> +http://list.cobalt.com/pipermail/cobalt-users/2001-February/0
> 32902.html
> >
> >
> > Mine matches:
> >
> > [root /sbin]# md5sum init
> > 5a64a78a799ab2e0cc3c8a6f931ab2f4 init
> >
> > The bogus init is at /usr/sbin
> >
> > Looks like they also enabled samba.
> >
> > *!GDMOFOS.
> >
> > I would really like to see the scriptkiddies that are
> behind this have
> > everyone of their fingers chopped off with a pair of pruning shears.
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>