Date: Sat, 02 Dec 2000 06:38:28 +0300 From: "Mr. Blackman" <blackman@blackman.ru> To: freebsd-security@freebsd.org Subject: Re: which ftpd (Imortant &etc) aka wold cry Message-ID: <3A286EB4.50908@blackman.ru> References: <200012010823.JAA24840@gilberto.physik.rwth-aachen.de> <Pine.BSF.4.10.10012010332310.42770-100000@bsdie.rwsystems.net> <20001201115339.G2185@nevermind.kiev.ua>
next in thread | previous in thread | raw e-mail | index | archive | help
(sorry if this is an offtopic)
Nevermind wrote:
> Hello, James Wyatt!
>
>
>> <skipped>
>
> I've been hacked few month ago with such kind of sht
> using standard ftpd.
Do you _know_ this was "standart ftpd"?:) I think, don't:)
> ps ax | grep supa
> also make fsck in single mode several times, then search for suspicious dirs in
> /var/games, /var/*.
>
> This is hack based on loading kernel module
This is a rootkit, not hack (vulnerability) :)
> which prevents process name supa
> to be killed
> also try to find dir or/and file named "lohi".
^^^^
File "lohi" gives you a clue - this was a russian hackers (99%), so you
can meet them, buy them a beer and
ask: "Guys, how do u hacked my box, a?:)"
It will be better, then flaming here.
P.S> Sorry one more time.
Blackman
"Peace man"
<blackman@blackman.ru>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A286EB4.50908>