[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] OT: Break-In report



Les Mikesell wrote:
> Rob Owens wrote:
>>
>> I particularly like the use of " " as a directory name.  Nice and
>> invisible.  Also note that the invader put his files in two
>> directories which have the "sticky" bit set:  /dev/shm and /var/tmp
>>
>> In the end, it seems that all the invader succeeded in doing was a
>> bunch of port-scanning.  The OS is going to be re-installed anyway,
>> just to be safe.
> 
> It is probably looking for additional systems to compromise, and may
> have  reported itself back to some controlling system.
> 
Yes, that is exactly what it was doing.  We found a list of usernames
(members of some group on the internet) and it looked like it was
notifying these users that the system was "open for business"

-Rob


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]