Kernel root kits are very good at hiding themselves when they are running. Best way is to mount the had drive in another box as /mnt or something and run chkrootkit over it and also md5sum known hacked binaries like ls etc.
> OK :) > > So, for now i killed this process, disabled the cronjob and killed web > server - there is now way the attacker is capable of coming back into > server or is there a chance that there is another backdoor installed > somewhere (chkrootkit doesn't find anything). > > Nejc > > Marcin Owsiany wrote: > > >On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote: > > > > > >>On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote: > >> > >> > >>>Can you get any information out of this cron file? I tried creating the > >>>same exec that this file creats, but obiously i was doing sth wrong :) > >>> > >>> > >>The crontab writes out a binary file and executes it. I straced the > >>binary on a virtual machine with no network. > >> > >>It's attempting to connect to two different hosts: > >> > >>210.169.91.66:5454 > >> > >> > > > >This is an IRC server. The program seems to be an IRC zombie. > > > >Marcin > > > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED]