Quoting Loryan Strant <[EMAIL PROTECTED]>:
> I've found that "/usr/sbin/nscd" is the responsible program for that port
> being open. I don't know what that program is, as it is not found on our
> backup RaQ4 server (which mind you has a lot less updates and programs
> installed).
> I know that my server is now untrustworthy, but would it be a good idea
> to rename/delete this file in the meantime?
I'm sorry to tell you but this is very likely evidence of your system being
fully compromised by the t0rn rootkit. See http://www.sans.org/y2k/t0rn.htm
for more information. I strongly suggest a complete restore, although it is
possible to eliminate all the back doors if you spend time on it. Then you
need to apply the latest security patches from Cobalt, to remove the place
where the script kiddie got in (most likely the BIND bug, although WU-FTPD is
also a possibility.)
*********************************
Paul Gillingwater
Managing Director
CSO Lanifex Unternehmensberatung
& Softwareentwicklung G.m.b.H.
NEW BUSINESS CONCEPTS
E-mail: [EMAIL PROTECTED]
Mobile: +43/699/1922 3085
Webhome: http://www.lanifex.com
Address: Praterstrasse 60/1/2
A-1020 Vienna, Austria
*********************************
_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security
