> Hi all,
>
> I was scanning my mail queue today when i came across a mail which was going
> to "[EMAIL PROTECTED]"... The mail consisted of the output from the ifconfig
> command (which showed the IP address i was using when i was connected to
> VSNL), the entire /etc/passwd file and also the SHADOW PASSWORD file.
> Luckily the mail did not go out (or so i think). Is this a virus or
> something? And how did it get access to the files which can be accessed by
> root only. How can i stop it?
>
as said by others this is a root-kit
chek out yr inetd.conf file such root kits use to add some services to
/etc/inetd.conf that creates some loop holes if something unusual is
found remove it
one more thing some fs such as /usr/bin or /usr/src and so are
not modified usually use "find" command to chek out for all the
files in such dirs for there change time hopefully u will be abel
to locate the dir in which the kit is installed
once u r on the kit u can see the scripts there( if readable )
what changes they have made remove all of them
in my case once i found such kit in /usr/src/.xxx
the dir was starting with a dot so hidden, cant be seen in ls without
-a option
try it out
shubh
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/linux-india-help
