On Mon, 20 Jun 2005 10:53:48 +0200 (CEST) "Barbara M." <[EMAIL PROTECTED]> wrote:
> Comments appreciated. It's a x86 elf binary, packed with upx (upx.sf.net) Executed on a honeypot and traced with strace (full strace attached): - saves own pid in /var/run/ehttpd.pid - rename process to "init [3]" - and finally (try) to connect to 210.169.91.66:4963 This should be some sort of "master-server", but it is down right now. The hole thing seems to be a backdoor-shell (connect to master, and receive commands from there). cheers Olaf
_______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
