[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rooted, .haos on system

To: "Damian Gerow" <damian@xxxxxxxxxx>, incidents@xxxxxxxxxxxxxxxxx
Subject: Re: Rooted, .haos on system
From: Mattias Hedenskog <tsixla@xxxxxxxxxxx>
Date: Mon, 16 Dec 2002 21:51:17 +0100
Delivered-to: mailing list incidents@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for incidents@xxxxxxxxxxxxxxxxx
Delivery-date: Mon, 16 Dec 2002 22:19:16 +0100
Envelope-to: incidents@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In-reply-to: <20021212234529.29690.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:incidents-help@securityfocus.com>
List-id: <incidents.list-id.securityfocus.com>
List-post: <mailto:incidents@securityfocus.com>
List-subscribe: <mailto:incidents-subscribe@securityfocus.com>
List-unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
Mailing-list: contact incidents-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20021212234529.29690.qmail@xxxxxxxxxxxxxxxxx>
Reply-to: tsixla@xxxxxxxxxxx
User-agent: KMail/1.4.1

Hey..
From what I can see you've been rooted by this "group" called hoax. They 
probably just had some rootkit laying around. All very simple. But still you 
need to take to take action, my guess is that those guys aren't pros. Run 
chkrootkit (ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz) for 
backdoors/infected binaries. and you really need to check your local 
security. I don't know what your situation is like but I would've shut down 
most of my services/users and start looking for backdoors/traces and such. 
Feel free to send me those tarballs if you want, I could browse em through 
quick.

// Mattias Hedenskog

> I've just received word that one of our customers was rooted, and he's
> asking about the file ".haos".  Nothing rings any bells, has anyone heard
> of it?
>
> ---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

-- 
irc:tsixla@efnet,irscnet
mail:tsixla@xxxxxxxxxxx 
http://tsixla.antisec.net

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Follow-Ups:
- Re: Rooted, .haos on system
  - From: zeno

References:
- Rooted, .haos on system
  - From: Damian Gerow

Prev by Date: RE: Win2k Audit Logs - What happened here?
Next by Date: Re: Rooted, .haos on system
Previous by thread: Re[2]: Rooted, .haos on system
Next by thread: Re: Rooted, .haos on system
Index(es):
- Date
- Thread