[scg-sec] FreeBSD exploit?
Paul Goyette
pgoyette at juniper.net
Fri Mar 4 12:31:03 EST 2005
OK, so one of our customers found some weird stuff on a M-series
router while investigating the reasons for the box continually
crashing. In addition to the stuff in the following directory,
it looks like the box was running an IRC server and a mail proxy.
Does any of this look familiar to anyone? I'm guessing we got
compromised by poor passwords, but still not sure until I can
poke aound the box myself.
/var/tmp/nesshbf/:
total 3620
-rw-r--r-- 1 root wheel 0 Feb 21 18:27 217.61.pscan.22
-rw-r--r-- 1 root wheel 38 Feb 21 06:30 log.bigsshf
-rw-r--r-- 1 root wheel 0 Feb 20 15:06 overnight.txt
-rwx------ 1 root wheel 21407 Feb 15 00:31 pscan2*
-rwx------ 1 root wheel 453972 Feb 15 00:31 ss*
-rwxr-xr-x 1 root wheel 1347413 Feb 15 00:31 sshf*
-rwxr-xr-x 1 root wheel 758 Feb 20 15:42 sshmass2*
-rw-r--r-- 1 root wheel 14 Feb 21 06:30 uniq.txt
More information about the scg-sec
mailing list