LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Andrew Keynes <list@triplei.net.au>
To : Richard Russell <richard@yellowgoanna.com>
Date: 21 Jul 2003 15:11:26 +0930
Re: anyone heard of b00ts?
Probably an automated rootkit attempting to grab an irc/ddos bot to
install.
Grab chkrootkit (http://www.chkrootkit.org/) and see if it picks up
anything.
__
Andrew Keynes
Systems Administrator
Hotkey Triple I
On Mon, 2003-07-21 at 14:52, Richard Russell wrote:
> Hi all,
>
> It appears that a legacy box I'm relatively responsible for got hacked...
> The intruder doesn't seem to have done anything significant, but kept ftping
> to b00ts.netfirms.com ...
>
> Is b00ts something significant?
>
> The only other evidence I can see is that they came from some site in
> romania, created a user called bash with uid 0, and one called telnet.
> There's no huge number of new files... They openned up telnet and ftp,
> flushed ipchains and locked themsleves out (default policy is deny). For
> some reason, when I fixed the ipchains up, apache was confused, and serving
> the wrong site... Apart from that, no damage visible. Sound familiar to
> anyone?
>
> rr
>
> PS it's RedHat 6.2...
>
> --
> Richard Russell
> Yellow Goanna P/L
> m: +61 412 827 805
> e: richard@yellowgoanna.com
> w: http://www.yellowgoanna.com
>
> --
> LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
> To unsubscribe from the LinuxSA list:
> mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
>
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page