This is slightly off-topic so cross post if necessary.
When performing an incident recovery for company XYZ, I found the following
in root's crontab: * * * * * /usr/sbin/ns.
This appears to be a backdoor of some sort. The reason I post this is to
see if anyone has seen this type on binary before and to get a little more
information on exactly what it is.
What I know is it was running non-stop from cron and it opens 3 UDP ports.
It may be a client/server app? Any ideas.
Here's the output from `strings ns` (The 3 IP addresses at the start have
been changed for incident purposes)
aaa.aaa.bbb.xxx
aaa.aaa.ccc.xxx
aaa.aaa.ddd.xxx
socket
bind
recvfrom
%s %s %s
aIf3YWfOhw.V.
PONG
*HELLO*
--
-----------------------------------------------------------------------
Dominick Glavach, IS Security/System Engineer [EMAIL PROTECTED]
Concurrent Technologies Corporation 814/269-2469
PGP fingerprint: F1 EB F3 DE 69 93 80 BF 00 14 77 E9 8B 61 A8 73
PGP Public Key : ftp.ctc.com/pub/PGP-keys/glavach.asc
-----------------------------------------------------------------------
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
