RE: hpd, afb, sc, and sn

From: Bojan Zdrnja <Bojan.Zdrnja(at)FER.hr>
Date: Sat Dec 21 2002 - 10:16:27 EST

> -----Original Message-----
> From: Gordon Chamberlin [mailto:glac@visualize.com]
> Sent: 20. prosinac 2002 22:12
> To: incidents@securityfocus.com
> Subject: hpd, afb, sc, and sn
>
>
> The contents of hpd are:

Rootkit doesn't seem familiar to me, but this is almost certanly some backdoor service listening at port 7000 (-p flag), which your nmap showed later.
You can maybe try telneting to localhost port 7000 to see what banner you get.

> According to an rpm -V, all kinds of binaries have been

Well, if you didn't see afb processes before (with old ps), your machine is 100% compromised with binaries of common utilities changed.

> Anyone know about this hack, what afb does and/or how they

If you can post those files people can analyze them. In any case, I'd suggest making image of machines HDD (for later analysis) and reinstalling everything from the scratch as it's pretty obvious someone started rootkit on it.
Also, you can try starting chrootkit on your machine to see what output you'll get.
Latest version was released yesterday (v0.38) so I'd suggest download of it and running it on compromised machine:

http://www.chkrootkit.org/

Best regards,

Bojan Zdrnja

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 23 12:24:44 2002