[nsp-sec] rooted UNIX boxes
Dave Woutersen (GOVCERT.NL)
dave.woutersen at govcert.nl
Tue Jun 28 07:20:13 EDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi Dirk, thx!
Ack for 8426, 24875, 25525 and 48539
At least one of the boxes was initially hacked through Phpmyadmin.
Rootkit installed was downloaded from: hXXp://rootkit.zzl.org/rootkit.txt
(tar.gz, down now)
MD5 for the tarbal: 8d3e27cd640ed3d67b2800642708273e
Greetz,
Dave
On 28-6-2011 11:27, Dirk Stander wrote:
> ----------- nsp-security Confidential --------
>
> Hi,
>
> please find attached a list of compromised servers found
> in an email drop box. The servers do have a userland root
> kit installed and are running a trojanized ssh/sshd.
>
> I'm not sure about the initial attack vector.
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security
> counter-measures. _______________________________________________
- --
Dave Woutersen
security specialist
GOVCERT.NL
T +31 70 888 75 55
I www.govcert.nl
E dave.woutersen at govcert.nl
P.O. Box 84011
2508 AA The Hague
The Netherlands
GOVCERT.NL is the Cyber Security & Incident Response Team for the Dutch
Government. We support the government and organisations with a public task
in preventing and dealing with IT-related security incidents.
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.1.1 (Build 10)
Charset: utf-8
wlcDBQFOCbjWsb5ywclyyS8RCBbqAQCGpLYF/y+1yL1MXETYWd3KS/LqpTuoQhyV
3FPgc2VvTQD+M7nz+fvp88vb3+NTR6Q++En64TJUYF5R5osyE3Hdkco=
=ayew
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list