[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
- Subject: Re: [cobalt-users] Hacked - Ambient's Rootkit for Linux ?
- From: David Lucas <david@xxxxxxxxxxxxxxxx>
- Date: Fri Nov 8 14:22:01 2002
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
At 03:40 PM 11/8/2002, you wrote:
Hi all,
I believe I have been hacked (well I'm sure, but I still have hope)
chkrootkit returns:
Checking `du'... INFECTED
Checking `killall'... INFECTED
Checking `ls'... INFECTED
Checking `netstat'... INFECTED
Checking `ps'... INFECTED
Checking `pstree'... INFECTED
Checking `syslogd'... INFECTED
Checking `top'... INFECTED
With the following time stamps and sizes
-rwxrwxr-x 1 root root 43336 Nov 8 15:40 login
-rwxrwxr-x 1 root root 184023 Nov 8 15:40 ls
-rwxrwxr-x 1 root root 258612 Nov 8 15:40 netstat
-rwxrwxr-x 1 root root 47388 Nov 8 15:40 ps
-rwxrwxr-x 1 root root 28696 Nov 8 15:40 syslogd
-rwxrwxr-x 1 root root 117311 Nov 8 15:40 du
-rwxrwxr-x 1 root root 22459 Nov 8 15:40 killall
-rwxrwxr-x 1 root root 24147 Nov 8 15:40 pstree
-rwxrwxr-x 1 root root 68692 Nov 8 15:40 top
-rwxrwxr-x 1 root root 655916 Nov 8 15:40 sshd
The only patch I'm missing (I believe) is RaQ4-mod_ssl-2.8.4.pkg.
ANY Help and advice would be appreciated
Regards
Andy
All those files have a time stamp of 3:40 pm of today????????
Somebodies touched them.
Ironicly, I am in the central time zone of the US and your email from 21:40
came at 15:40
You don't day what machine you have.
My raq4r with all the updates has
ls 50148 9/8/1999
login 21672 6/20/2000
these are from the /bin directory - does this tell you enough?
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.