[vox] Re: Password NOT stolen at linuxworld
Ryan Castellucci
vox@lists.lugod.org
Sun, 17 Aug 2003 05:01:30 -0700
On Mon, Aug 11, 2003 at 01:42:08PM -0700, Ryan Castellucci wrote:
> OK, guys, here's the scoop... Somebody 0wned my system at
> work, running debian testing. Installed this lovely password
> logger, and snagged my password when I used SCPed a file.
> I found a log file at /usr/lib/mem/mem
>
> Bastards....
Well, looks like someone installed the same rootkit on cal.net's
shell on or about april 24...
There's a rather large /usr/lib/mem/mem file on there, and I may
have ssh'd into zaphod from cal.net's shell server, and this
jackass got in from there. I am very, very irritated.
[ryan@shell1]-[pts/2]-[~/chkrootkit-0.41]
$ ./chkproc -v
PID 14: not in readdir output
PID 14: not in ps output
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
$ ls -al /usr/lib/mem/mem
-rw--w--w- 1 root root 2693070 Aug 17 04:40 /usr/lib/mem/mem
$ ls -al /usr/lib/mem
total 44
-rwxr-xr-x 1 root root 27976 Apr 9 13:31
drwxr-xr-x 2 root root 4096 Apr 24 15:26 .
drwxr-xr-x 24 root root 12288 Apr 24 15:25 ..