OK :)
So, for now i killed this process, disabled the cronjob and killed web
server - there is now way the attacker is capable of coming back into
server or is there a chance that there is another backdoor installed
somewhere (chkrootkit doesn't find anything).
Nejc
Marcin Owsiany wrote:
On Tue, Jul 26, 2005 at 04:39:20PM -0400, Edward Faulkner wrote:
On Tue, Jul 26, 2005 at 10:02:52PM +0200, Nejc Novak wrote:
Can you get any information out of this cron file? I tried creating the
same exec that this file creats, but obiously i was doing sth wrong :)
The crontab writes out a binary file and executes it. I straced the
binary on a virtual machine with no network.
It's attempting to connect to two different hosts:
210.169.91.66:5454
This is an IRC server. The program seems to be an IRC zombie.
Marcin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
