Not sure that these are viruses. I think they are part of a root-kit
that scans the internet for ssh servers that have bad passwords. I
would consider your RH box to have been compromised somehow until
proven otherwise. The usual suspects would be:
a) the box has guesable passwords that the ssh automated root scanners
found and opened up the box.
b) the box has an unpatched external facing binary that a hacker was
able to take advantage of (HTTP, SSH, email, cgi scripts?) and was
able to upload these onit
On 11/9/05, Doug Fox <dfox168 (at) hotmail (dot) com [email concealed]> wrote:
> Found two files, elf_sshscan.a and elf_portscan.a, compressed in a *.tgz
> file on a Red Hat box. Exported the file to a MS box, Trend Micro
> OfficeSacn detected them as viruses, but did not provide any information
> other than the names in its knowledgebase.
>
> Searched TM site, no information was available today.
>
> Any information of these two viruses, such as how the virus getting on to
> the Red Hat box, etc. are appreciated.
>
> Thanks,
>
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
that scans the internet for ssh servers that have bad passwords. I
would consider your RH box to have been compromised somehow until
proven otherwise. The usual suspects would be:
a) the box has guesable passwords that the ssh automated root scanners
found and opened up the box.
b) the box has an unpatched external facing binary that a hacker was
able to take advantage of (HTTP, SSH, email, cgi scripts?) and was
able to upload these onit
On 11/9/05, Doug Fox <dfox168 (at) hotmail (dot) com [email concealed]> wrote:
> Found two files, elf_sshscan.a and elf_portscan.a, compressed in a *.tgz
> file on a Red Hat box. Exported the file to a MS box, Trend Micro
> OfficeSacn detected them as viruses, but did not provide any information
> other than the names in its knowledgebase.
>
> Searched TM site, no information was available today.
>
> Any information of these two viruses, such as how the virus getting on to
> the Red Hat box, etc. are appreciated.
>
> Thanks,
>
--
Stephen J Smoogen.
CSIRT/Linux System Administrator
[ reply ]