strange executable found in cron report - attaching to 203.130.232.110
From: Mike Pelley (mike_at_pelleys.com)
Date: 11/28/03
- Previous message: Chiu, PCM (Peter) : "xioerror and user authentication errors"
- Next in thread: Eric Robinson: "RE: strange executable found in cron report - attaching to 203.130.232.110"
- Maybe reply: Eric Robinson: "RE: strange executable found in cron report - attaching to 203.130.232.110"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: redhat-list <redhat-list@redhat.com> Date: Fri, 28 Nov 2003 06:59:18 -0330
Folks,
A friend of mine was reviewing her daily LogWatch reports and noted that
there was a strange entry. The file was "/tmp/.c" and the full entry was
User root:
/tmp/.c 203.130.232.110 62282: 1 Time(s)
That seems like an address in Indonesia.
When she ran "strings" against it, it had the following strings
/lib/ld-linux.so.2
__gmon_start__
libc.so.6
strcpy
connect
getenv
__strtol_internal
execve
dup2
sleep
socket
bzero
__deregister_frame_info
wait
fork
memset
gethostbyname
exit
_IO_stdin_used
__libc_start_main
setuid
__register_frame_info
close
GLIBC_2.0
PTRh@
8(t1@8(t,@8(t'@
8(t1@8(t,@8(t'@
/usr/sbin/named
SHELL
/bin/sh
Anyone have any idea what got on her system? She is running Red Hat 8
and is fully patched as can be. She also ran "chkrootkit" - the latest
build recompiled on anther system - and it didn't find any rootkits.
Thanks!
Cheers,
Mike
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@redhat.com?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
- Previous message: Chiu, PCM (Peter) : "xioerror and user authentication errors"
- Next in thread: Eric Robinson: "RE: strange executable found in cron report - attaching to 203.130.232.110"
- Maybe reply: Eric Robinson: "RE: strange executable found in cron report - attaching to 203.130.232.110"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
