Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
what hack is this and what to do against ?
  • From: Walter Raboch <wraboch@xxxxxx>
  • Date: Fri, 21 Dec 2001 00:46:39 +0100
  • Message-id: <3C22785F.793B185E@xxxxxx>
Hi folks,

some of my servers where hacked the day before...
i found some strange processes and some binaries changed and would
like to know what hack or possible worm this is and what to do against -
update which daemon/package ?

files changed or created:

-rwxr-xr-x 1 root root 60296 Dez 20 20:37 /bin/netstat
-r-xr-xr-x 1 root root 32756 Dez 20 20:37
/bin/ps
-rw------- 1 root root 512 Dez 20 21:37 /bin/.s
-rw------- 1 root root 526 Dez 20 20:37 /bin/hk
-rw------- 1 root root 512 Dez 20 20:37 /bin/s
-rw-r--r-- 1 root root 673 Dez 20 20:37 /bin/sc
-rw-r--r-- 1 root root 880 Dez 20 20:37 /bin/ssc
-rwxr-xr-x 1 root root 207272 Dez 20 15:44 /usr/bin/afb
-rwxr-xr-x 1 root root 111 Dez 20 20:37 /usr/bin/hdp
-rwxr-xr-x 1 root root 5008 Dez 20 20:37 /usr/bin/sn

i found some scripts here:

./usr/src/wsx
./usr/src/wsx/flood
./usr/src/wsx/mass-scan
./usr/src/wsx/parser
./usr/src/wsx/cleaner
./usr/src/wsx/sz
./usr/src/wsx/tcp.log

i found this process:

30056 ? S 0:01 /usr/bin/./afb -f /bin/sc -q -p 55001 -h /bin/hk


my maschine is still running at Suse 6.2 since its a production machine
some hundred kilometers away from me, so i cant just drive there making
an update before Jannuary... so i apreciate any info to stabilize it
until then...

hope you can help me...

thx in advance

Walter Raboch
< Previous Next >
This Thread
Follow Ups