> I did a find on 's', and it turned up a new directory: /var/tmp/.cache
> this directory had the following files:
>
> -rwxr-xr-x 1 apache apache 433332 Mar 13 10:12 0*
> -rwxr-xr-x 1 apache apache 147 Jul 29 2004 clear.sh*
> -rw-r--r-- 1 apache apache 253 Mar 14 08:22 ftp
> -rw-r--r-- 1 apache apache 0 Mar 14 08:22 Garion.seen
> -rwxr-xr-x 1 apache apache 160867 Mar 21 2005 httpd*
> -rwxr-xr-x 1 apache apache 24747 Mar 13 10:12 j*
> -rwxr-xr-x 1 apache apache 31757 Mar 13 10:12 k*
> -rw-r--r-- 1 apache apache 22983 Jul 29 2004 mech.help
> -rw-r--r-- 1 apache apache 1064 Mar 14 08:22 mech.levels
> -rw-r--r-- 1 apache apache 6734 Mar 13 10:12 mech.pid
> -rw-r--r-- 1 apache apache 522 Mar 14 08:22 mech.session
> -rw-r--r-- 1 apache apache 827 Mar 21 2005 mech.set
> -rwxr-xr-x 1 apache apache 22158 Mar 13 09:42 s*
> -rwxr-xr-x 1 apache apache 61 Mar 21 2005 start.sh*
> -rwxr-xr-x 1 apache apache 22446 Mar 13 10:12 v1*
> -rwxr-xr-x 1 apache apache 23414 Mar 13 10:12 v2*
> -rwxr-xr-x 1 apache apache 26958 Mar 13 10:12 x*
>j is juno.c by Sorceror of DALnet
>k is the ptrace program by anszom (at) v-lo.krakow (dot) pl [email concealed]
>v1 is vadim v.Ibeta
>v2 is vadim v.IIbeta
>x is apparently a ptrace program by Wojciech Purcynski (referenced at
>http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-03/0201.htm
l )
I recently tracked down a phishing site to a compromised server
in Japan. Interestingly, several of the above files
(in particular the mech files and the ptrace program)
were installed there; it also had the tuxkit rootkit installed
on it. That system appears to have been compromised by a
vulnerable sshd.
--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Network Security Services email: skip (at) taygeta (dot) net [email concealed]
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/
Monterey, CA. 93940
> I did a find on 's', and it turned up a new directory: /var/tmp/.cache
> this directory had the following files:
>
> -rwxr-xr-x 1 apache apache 433332 Mar 13 10:12 0*
> -rwxr-xr-x 1 apache apache 147 Jul 29 2004 clear.sh*
> -rw-r--r-- 1 apache apache 253 Mar 14 08:22 ftp
> -rw-r--r-- 1 apache apache 0 Mar 14 08:22 Garion.seen
> -rwxr-xr-x 1 apache apache 160867 Mar 21 2005 httpd*
> -rwxr-xr-x 1 apache apache 24747 Mar 13 10:12 j*
> -rwxr-xr-x 1 apache apache 31757 Mar 13 10:12 k*
> -rw-r--r-- 1 apache apache 22983 Jul 29 2004 mech.help
> -rw-r--r-- 1 apache apache 1064 Mar 14 08:22 mech.levels
> -rw-r--r-- 1 apache apache 6734 Mar 13 10:12 mech.pid
> -rw-r--r-- 1 apache apache 522 Mar 14 08:22 mech.session
> -rw-r--r-- 1 apache apache 827 Mar 21 2005 mech.set
> -rwxr-xr-x 1 apache apache 22158 Mar 13 09:42 s*
> -rwxr-xr-x 1 apache apache 61 Mar 21 2005 start.sh*
> -rwxr-xr-x 1 apache apache 22446 Mar 13 10:12 v1*
> -rwxr-xr-x 1 apache apache 23414 Mar 13 10:12 v2*
> -rwxr-xr-x 1 apache apache 26958 Mar 13 10:12 x*
>j is juno.c by Sorceror of DALnet
>k is the ptrace program by anszom (at) v-lo.krakow (dot) pl [email concealed]
>v1 is vadim v.Ibeta
>v2 is vadim v.IIbeta
>x is apparently a ptrace program by Wojciech Purcynski (referenced at
>http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2003-03/0201.htm
l )
I recently tracked down a phishing site to a compromised server
in Japan. Interestingly, several of the above files
(in particular the mech files and the ptrace program)
were installed there; it also had the tuxkit rootkit installed
on it. That system appears to have been compromised by a
vulnerable sshd.
--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Network Security Services email: skip (at) taygeta (dot) net [email concealed]
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.net/
Monterey, CA. 93940
[ reply ]