Hello Gábor, hello list,

-----Original Message----- From: Gábor Ács [mailto:gabor.acs@eds.com] Sent: Monday, March 17, 2003 11:23 AM To: Mario Neubert; suse-security@suse.com Subject: Re: [suse-security] Local Weekly Security / Whats this ...

Hi

This is a "rootkit".

Your system is corrupt. Have you a correct backup?

I don't think this.... Why are you so certain? I stopped the postfix and bindshell is not infected.... Posible bindshell-false-alert because postfix master ist running on this port. $>lsof -i -P |grep 465 master 19523 root 14u IPv4 139977 TCP *:465 (LISTEN) I run find again like security-weekly.sh: "$>find / -perm -04000 -o -perm -02000 -uid 0 -mount -type f" and no interesting output was found. I don't know why this appear in the logmessage, because the "." should are the CWD, but the find command in security-weekly.sh searches -type f!?

On Monday 17 March 2003 09:44, Mario Neubert wrote:

...

can anyone explain me what this is? I found it in "Local Weekly Security"-output. This server whith SuSE 8.1 is 2 days up and nobody except me should knows about it. The following files are suid/sgid: + drwx------ 16 root root 4096 2003-03-17 00:36 .

The following devices were added: + drwx------ root root 4096 Mar

Checking `bindshell'... INFECTED (PORTS: 465)

-- ----- -----

Gábor Ács

IT Security Manager EDS CI Hungary Phone +3613475594 Mobil +36302978599

-----------------

Greetings Mario