Hi all,
I strongly fee that this is the linux Lion worm affecting systems using
particular versions of bind.
This lion worm is said to mail your list of password and net configs to an
email address in china
Please check out the link below
http://www.netaccess.it/virus/l/Linux.Lion.Worm.asp
>
> > Hi all,
> >
> > I was scanning my mail queue today when i came across a mail which was going
> > to "[EMAIL PROTECTED]"... The mail consisted of the output from the ifconfig
> > command (which showed the IP address i was using when i was connected to
> > VSNL), the entire /etc/passwd file and also the SHADOW PASSWORD file.
> > Luckily the mail did not go out (or so i think). Is this a virus or
> > something? And how did it get access to the files which can be accessed by
> > root only. How can i stop it?
> >
>
>
> as said by others this is a root-kit
>
> chek out yr inetd.conf file such root kits use to add some services to
> /etc/inetd.conf that creates some loop holes if something unusual is
> found remove it
>
> one more thing some fs such as /usr/bin or /usr/src and so are
> not modified usually use "find" command to chek out for all the
> files in such dirs for there change time hopefully u will be abel
> to locate the dir in which the kit is installed
>
> once u r on the kit u can see the scripts there( if readable )
> what changes they have made remove all of them
>
> in my case once i found such kit in /usr/src/.xxx
>
> the dir was starting with a dot so hidden, cant be seen in ls without
> -a option
>
> try it out
>
> shubh
>
>
>
> _______________________________________________
> linux-india-help mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/linux-india-help
---------------------------------------------
This message was sent using Endymion MailMan.
http://www.endymion.com/products/mailman/
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/linux-india-help
