22 Mar
2000
22 Mar
'00
21:02
Hi list,
the box of a friend was hacked: /bin/ps /bin/login /bin/ls were replaced / trojaned. The original files were placed in /bin/bincp (which is not shown by ls, but cd into that dir works fine)
Luckyly I found some source within a log of another machine. Comments show that there is an
unsigned char shellcode[] =
with some rows of "\x ...\x" numbers. I assume that there is the coding of a shell command. Unfortunately I do not know how to "read" the command. Translating the hex numbers into decimal and using an ASCII table does not give a usefull result. Any idea? Tips who to detect which root kit was used are welcome, too.
TIA Frank