I just got 2 redhat 6.2 machines broken into. Anyone seen this root kit and
know what the exploit was.
Creates user/group tcp and runs an irc robot (psybnc) among other things.
Thanks Paul.
Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
Apr 29 04:22:00 noctech2 anacron[7419]: Updated timestamp for job
`cron.weekly' to 2001-04-29
Apr 29 06:27:09 noctech2 ftpd[12382]: FTP LOGIN REFUSED (ftp in
/etc/ftpusers) FROM pD9538A73.dip.t-dialin.net [217.83.138.115], anonymous
Apr 29 06:27:10 noctech2 ftpd[12382]: FTP session closed
Apr 29 07:36:55 noctech2 inetd[500]: pid 12400: exit status 1
Apr 29 07:39:30 noctech2 PAM_pwdb[12403]: (login) session opened for user
tcp by (uid=0)
Apr 29 07:42:29 noctech2 PAM_pwdb[12428]: (su) session opened for user uid
by tcp(uid=506)
Apr 29 07:44:15 noctech2 kernel: Kernel logging (proc) stopped.
Apr 29 07:44:15 noctech2 kernel: Kernel log daemon terminating.
Apr 29 07:44:17 noctech2 syslog: klogd shutdown succeeded
Apr 29 07:44:17 noctech2 exiting on signal 15
Apr 29 07:44:17 noctech2 syslogd 1.3-3: restart.
Apr 29 07:44:17 noctech2 syslog: syslogd startup succeeded
Apr 29 07:44:17 noctech2 kernel: klogd 1.3-3, log source = /proc/kmsg
started.
Apr 29 07:44:17 noctech2 kernel: Inspecting /boot/System.map-2.2.14-5.0
Apr 29 07:44:17 noctech2 syslog: klogd startup succeeded
Apr 29 07:44:18 noctech2 kernel: Loaded 7337 symbols from
/boot/System.map-2.2.14-5.0.
Apr 29 07:44:18 noctech2 kernel: Symbols match kernel version 2.2.14.
Apr 29 07:44:18 noctech2 kernel: Loaded 87 symbols from 3 modules.
Apr 29 07:44:17 noctech2 syslog: syslogd shutdown succeeded
Apr 29 08:05:49 noctech2 PAM_pwdb[12428]: (su) session closed for user uid
Apr 29 09:11:38 noctech2 rpc.statd[374]: gethostbyname error for
^X���^X���^Y���^Y���^Z���^Z���^[���^[���bffff750 8049710
8052c18687465676274736f6d616e797265206520726f7220726f66
bffff718
bffff719 bffff71a
bffff71b��������������������������������������������������������������������
����������������������������������������������������������������������������
����������������������������������������������������������������������������
�������������������!
������������������������������������������
Apr 29 19:27:51 noctech2 ftpd[17765]: FTP LOGIN REFUSED (ftp in
/etc/ftpusers) FROM bzq-228-99.bezeqint.net [212.179.228.99], anonymous
Apr 29 19:27:52 noctech2 ftpd[17765]: FTP session closed
Apr 30 04:02:00 noctech2 anacron[17900]: Updated timestamp for job
`cron.daily' to 2001-04-30
Apr 30 09:02:16 noctech2 PAM_pwdb[656]: (login) session opened for user root
by LOGIN(uid=0)
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
