[vox-tech] lugod.org cracked?

ME dugan at passwall.com
Tue Feb 15 13:14:21 PST 2005


Also, you will want to look at processes that are still running. Check out
inetd. Use your fu from /proc/PID/*exe* and dump to files and service
daemons. do a cmp of the dumped data with the actual executable on disk.
If the item in memory != app on disk, that is a sign that the service you
see may not be yours and they should be inspected more closely.

use lsof and look at what files are opened by various daemons-- especially
those you suspect of not being your own.

Odds are in favor that they still have a process running on your box and
it is set to auto-start on reboot and/or kill -- common to have a parent
process that does little and is called something like -bash whose only
purpose is to respawn the trojan upon termination.

You have a lot of work ahead of you.
Good luck :-)

-ME

ME said:
> 2 tools:
> 1) Rootkit with local exploits
> 2) IRC Relay with authentication and bounce... probably a file server for
> dcc requests of pr0n, movies, or music.
...


More information about the vox-tech mailing list