Date: Sat, 02 Dec 2000 06:38:28 +0300 From: "Mr. Blackman" <blackman@blackman.ru> To: freebsd-security@freebsd.org Subject: Re: which ftpd (Imortant &etc) aka wold cry Message-ID: <3A286EB4.50908@blackman.ru> References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <Pine.BSF.4.10.10012010332310.42770-100000@bsdie.rwsystems.net> <20001201115339.G2185@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
(sorry if this is an offtopic) Nevermind wrote: > Hello, James Wyatt! > > >> <skipped> > > I've been hacked few month ago with such kind of sht > using standard ftpd. Do you _know_ this was "standart ftpd"?:) I think, don't:) > ps ax | grep supa > also make fsck in single mode several times, then search for suspicious dirs in > /var/games, /var/*. > > This is hack based on loading kernel module This is a rootkit, not hack (vulnerability) :) > which prevents process name supa > to be killed > also try to find dir or/and file named "lohi". ^^^^ File "lohi" gives you a clue - this was a russian hackers (99%), so you can meet them, buy them a beer and ask: "Guys, how do u hacked my box, a?:)" It will be better, then flaming here. P.S> Sorry one more time. Blackman "Peace man" <blackman@blackman.ru> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A286EB4.50908>