Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re: [suse-security] How to decrypt shell code of an exploit?
  • From: Schoeberle Daniel <schuberth@xxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 23 Mar 2000 14:15:23 +0100 (CET)
  • Message-id: <Pine.LNX.4.21.0003231358080.17522-100000@xxxxxxxxxxxxxxxxxxxx>
On Wed, 22 Mar 2000, Frank Derichsweiler wrote:

> the box of a friend was hacked: /bin/ps /bin/login /bin/ls were
> replaced / trojaned. The original files were placed in /bin/bincp
> (which is not shown by ls, but cd into that dir works fine)
> Tips who to detect which root kit was used are welcome, too.

We had a breakin not long ago and the part about hidden dirs sounds
familiar. The intruder used a kernel-based root kit for 2.2 kernels, Knark
v0.50, which would put some info about hidden dirs and some other info
into (hidden) /proc/knark dir. Check for it. I could also post the README
file from the root kit, maybe that could give you some more clues?

Regards, Daniel.

< Previous Next >