/* * First off - no flames for using Outlook Distress please - my * Linux boxes are in a container on a ship or on a dock at the moment * so for the moment I'm using my wife's laptop.. :-) */
> Not good. There're two syslogd binaries: [...] Hmm, certainly the Adore rootkit creates that during install, but it's not the only one to use that trick. A report on a Honeyport (RH6.2) that's been Adore'd is at: http://www.lucidic.net/whitepapers/sholcroft-4.1-2002.html Interestingly, he mentions that the person who took over that box was using it to bounce IRC connections off of (to legit IRC servers, not imposters like you were seeing though) and talking to others on Romanian IRC channels. Your logs of DNS queries show lookups to some Romanian sites too (though not only Romanian). There's another report of another rootkit (lrk4) that also dumped a /usr/bin/syslogd at: http://msgs.securepoint.com/cgi-bin/get/bugtraq0001/54.html Hey ho. Sounds like a backup and reformat job to me. If you want more help you could try the incidents list out of securityfocus, I lurked there quite a bit whilst working in the UK and they can be quite helpful there, especially if you've got something that looks a bit out of the ordinary. Best of luck! Chris -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
