More details on the recent compromise of machines
Posted on: 11/28/2003 07:17 AM

James Troup has published more details on the recent compromise of machines

On November 20 it was noticed that master was kernel oops-ing lots. While investigating this it was discovered that murphy was showing the exact same oops, which was an overly suspicious coincidence. Also klecker, murphy and gluck have aide installed to monitor filesystem changes and at around the same time it started warning that /sbin/init had been replaced and that the mtime and ctime timestamps for /usr/lib/locale/en_US had changed.

Investigation revealed the cause for both these things to be the suckit root kit (see the "Suckit" appendix for more info).

Read more

Printed from Linux Compatible (