First thought is, "had been hacked" is probably wrong.
"Still is hacked" looks more likely.
Second thought is, anyone who has been hacked is well-advised to
rebuild from known good components and only known good components.
Once they've done that they should be able to tell what's running on
their system, and not need to ask whether what's running on their
systems might be present elsewhere. If they thought they'd rebuilt
from known secure ingredients and still have this question, I think
the real question should be whether they really did have a good
known safe starting point.
Next, do they have any idea what that process is doing? What
if any sockets are open? What else is running? Is the system
doing anything they care much about? Is there anything they care
much about on it? Are they behind a firewall, or open to the world?
What do they know about the previous hack? How do they know
they were hacked? How were they hacked? By whom? For how
long? If they rebuild from known good sources, will the same hole
be there for the same hacker to compromise them whenever s/he
so desires? ? ?
To me it doesn't sound good, even if this process is not a problem
the very fact that they don't *KNOW* about what's running on
their system is a red flag!
Wish I could be more specific, but that process doesn't ring a bell
to me - the form of the name is suspect, it looks like it should fit
some convention, which means they should be able to identify it.
Since they can't it raises the level of suspicion about whether that
is an attempt to camouflage...
--Bruce
[EMAIL PROTECTED] wrote:
> People,
> I had a question from someone who had been hacked.
> They said:
> > > we have a process that is running - /usr/lib/lib-gblo.1.3.so
> > > that is taking up some massive CPU cycles.
> > > Do you know anything about this file? Does it
> > > exist on any of your systems?
> > >
> I can't find any reference to it. rpm -qf doesn't show anything.
> They only install using rpms on a RH 6.x system.
> Any thoughts?
>
> TIA,
> Bob Sparks
> Linux guru wannabe
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
