Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 18 Apr 2001 21:24:19 -0600 (MDT)
From:      "David G. Andersen" <dga@pobox.com>
To:        kris@obsecurity.org (Kris Kennaway)
Cc:        fukuda@alles.ad.jp (fukuda shinichi), freebsd-security@FreeBSD.ORG
Subject:   Re: unknown process
Message-ID:  <200104190324.VAA14081@faith.cs.utah.edu>
In-Reply-To: <20010418200223.A42227@xor.obsecurity.org> from "Kris Kennaway" at Apr 18, 2001 08:02:23 PM
next in thread | previous in thread | raw e-mail | index | archive | help 
There was an analysis of this posted to ISN today:

http://www.securityfocus.com/templates/archive.pike?list=12&mid=177354

You've been hacked.  Do what Kris said immediately - take your
system offline, and figure out how they got in.  You'll likely
need to either restore from backups, a fresh install, or check
your tripwire/etc logs to determine what else the intruder
changed, if they installed a rootkit, etc.

  -Dave


Lo and behold, Kris Kennaway once said:
> 
> 
> --NzB8fVQJ5HfG6fxh
> Content-Type: text/plain; charset=us-ascii
> Content-Disposition: inline
> Content-Transfer-Encoding: quoted-printable
> 
> On Thu, Apr 19, 2001 at 11:41:00AM +0900, fukuda shinichi wrote:
> > Hi.
> >=20
> > I found unknown process name "carko" today.
> > This binary find in /usr/share/man/mansps/ddos ,=20
> > and i never made such dir like ddos !! (created Apr 18 18:59).
> >=20
> > Is anyone know about this "carko" ?=20
> > And very weird name "ddos" ... please help me.
> 
> Take your system off the net and check it for signs of intrusion.
> 
> Kris
> 
> --NzB8fVQJ5HfG6fxh
> Content-Type: application/pgp-signature
> Content-Disposition: inline
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (FreeBSD)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE63lU/Wry0BWjoQKURAlAwAJ40fYE17MVKQFxzBkbEO4SREtw4tQCeLAjE
> BB9A06a+etaWXO+LT/okIks=
> =o8HH
> -----END PGP SIGNATURE-----
> 
> --NzB8fVQJ5HfG6fxh--
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 


-- 
work: dga@lcs.mit.edu                          me:  dga@pobox.com
      MIT Laboratory for Computer Science           http://www.angio.net/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200104190324.VAA14081>