Re: [Mailman-Users] What is ADORE

Mon, 23 Apr 2001 14:33:15 -0700 

I would say that you box has been hacked. Most likely with
a variation of the l10n (lion) worm. I would pull it
off the network and run a rootkit scan on it.

Check out http://www.sans.org/ for info. Look at the 
Alerts and Analysis section.

The script that is running looks like it is "cleaning up" the
hackers code that is running on your box...

Anyone else have any input?

Steve
--
Steve Pirk
[EMAIL PROTECTED] . deathcon.com . pirk.com . webops.com . t2servers.com 

On Mon, 23 Apr 2001 [EMAIL PROTECTED] wrote:

> Is this a virus?
> Is this `below' the correct anacron file.
> 
> Help???
> 
> Thanks
> miket
> 
> I am experiencing some troble with or list server.  It is rebooting every five 
>minutes 
> or so.  I have tracked it down to the anacron service and /etc/cron.daily/0anacron
> 
> #!/bin/sh
> if [ -f /sbin/reboot ]; then
> mv /usr/bin/adore /bin/ps
> mv /usr/lib/lib/0anacron-bak /etc/cron.daily/0anacron
> rm -rf /usr/lib/lib
> /sbin/reboot
> exit 0
> fi
> killall -9 lpd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 lpd7.sh >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-lprng >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 bind >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 statdx >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-statd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-wu26 >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-bind >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-bind >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-ftpd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-lprng >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-statdx >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 wuftpd26 >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 wuscan >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 hackwu26 >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 hacklpd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 scan.pl >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 .bla >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 xargs >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 cat >>/dev/null 2>>/dev/null 3>>/dev/null
> mv /usr/bin/adore /bin/ps
> mv /usr/lib/lib/0anacron-bak /etc/cron.daily/0anacron
> rm -rf /usr/lib/lib
> 
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>      SciTech Software, Inc.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Michael E. Todd 
> Chico, CA  95928
> 530-894-8400 #151
> 


------------------------------------------------------
Mailman-Users maillist  -  [EMAIL PROTECTED]
http://mail.python.org/mailman/listinfo/mailman-users

Reply via email to