From: Fred Cummins (fred.cummins at domain ucd.ie)
Date: Mon 20 Aug 2001 - 10:58:16 IST
I complained:
> On a RH 7.0 box, suddenly I can't login at the console. If I try as a
> user, I get a "Login incorrect" message, and /var/log/messages.....etc
Conor Daly suggested:
> Wild guess...
>
> Has the box been r00ted? Stuff enabled that used to be disabled and stuff
> diasbled that used to be enabled and things
And lo-and-behold, t0rn, a popular rootkit, was lurking in /usr/src. I
found it by using 'locate puta', as t0rn and its attendant files
generally live in a directory called '.puta' which doesn't show up using
'ls -a'. I had an up-to-date set of BIND utilities, so I don't know how
this bugger got in, and I notice the files were modified by a German.
Anyone know how this might have gotten in on a reasonably up2date 7.0
box? (The box is now evenmore up2date.......)
-- ........................................................................ --> mail: Dr Fred Cummins, Dept of Computer Science, U.C.D, Dublin 4 --> email: fred.cummins at ucd.ie --> www: gahu.ucd.ie/~fred --> phone: +353-(0)1-7162902 ........................................................................
This archive was generated by hypermail 2.1.6 : Thu 06 Feb 2003 - 13:11:43 GMT