[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] unable to remove file

Subject: RE: [cobalt-users] unable to remove file
From: "Rick" <rick@xxxxxxxxxxxx>
Date: Sun Jul 7 02:13:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hey,
My server has been hacked via LKM and ps trojans.
i suspect that the file is an one that causes the trojan.
Ive pasted a result below from chkrootkit.

Checking `lkm'... You have     2 process hidden for readdir command
You have     2 process hidden for ps command
Warning: Possible LKM Trojan installed

+ /bin/echo -n Checking `lkm'... 
+ lkm
+ [ ( Linux = Linux -o ( Linux = FreeBSD -a 44 -gt 43 ) ) -a / = / ]
+ [ ! -x ./chkproc ]
+ [  = t ]
+ [ -r /proc/ksyms ]
++ /bin/egrep -i adore
+ [ -d /proc/knark ]
+ ./chkproc
Checking `lkm'... You have     2 process hidden for readdir command
+ echo Warning: Possible LKM Trojan installed

Kindly Advise
Rick


-----Original Message-----
From: cobalt-users-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of E.B. Dreger
Sent: Sunday, July 07, 2002 4:53 PM
To: cobalt-users@xxxxxxxxxxxxxxx
Subject: RE: [cobalt-users] unable to remove file


> Date: Sun, 7 Jul 2002 01:17:00 -0400 (EDT)
> From: flash22

[ somewhat snipped ]


> You can't remove things in /proc, they are all make believe
> files
> 
> Um, *why* are you trying to remove them?

That's what I want to know.

Randomly deleting files is not a smart idea.  I doubt that many
people open the hood of their car and start tearing out hoses...
why do the equivalent on a computer?


Eddy
--
Brotsman & Dreger, Inc. - EverQuick Internet Division
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 (785) 865-5885 Lawrence and [inter]national
Phone: +1 (316) 794-8922 Wichita

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.
Do NOT send mail to <blacklist@xxxxxxxxx>, or you are likely to
be blocked.

_______________________________________________
cobalt-users mailing list
cobalt-users@xxxxxxxxxxxxxxx
To Subscribe or Unsubscribe, please go to:
http://list.cobalt.com/mailman/listinfo/cobalt-users

References:
- RE: [cobalt-users] unable to remove file
  - From: E.B. Dreger

Prev by Date: RE: [cobalt-users] unable to remove file
Next by Date: RE: [cobalt-users] Help with open ports
Previous by thread: RE: [cobalt-users] unable to remove file
Next by thread: Re: [cobalt-users] unable to remove file

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index