jess LAND
       www.jessland.net		        Sponsored by:       
One eSecurity
www.one-esecurity.com
JISK Knowledgebase >>    About    News    Essentials    Architecture    FWs    IDS/IPS    Honeypots    Malware    Forensics   
  +  JSS Home    Projects    JSS Community    Events    News    Docs    About    Contact .

JLCorner > Jess > SANS > Conferences Archive > London 2007

London 2007

The Challenge

 Directories 
 /usr/man/.Ci  Hidden Dir. 
 /usr/man/.Ci/ /  Hidden-Hidden Dir. - Tip: Enter dir. with cd " " 
 /dev/tpack  IRC Bot 
  
 Files 
 /usr/man/.a 
 /var/tmp/nap  log - root/tw1l1ghtz0ne - c871553-bgffsn1.mo.home.com  Found on Timeline 
 /dev/ptyp  Config file for trojan binaries ps & top  Strings in the binaries ps & top 
 /usr/man/.p 
  
 Artifacts 
 /usr/man/.Ci/.../bitchx  IRC -> /bin/bx 
 /usr/man/.Ci/.../strobe  Port Scan 
  
 Backdoors 
 Block 49469 - /var  Exploit + backdoor installation on inetd.conf on port 4545  String search for inetd.conf 
 /etc/rc.d/rc.local  Last line contains a backdoor: /usr/local/sbin/sshd1 
  
 Log Wiping 
 /usr/man/.Ci/snap  Enter just your IP address 
 /usr/man/.Ci/clean  Automates snap operations 
 User Account Activity 
 unallocated /  adm1 & own in a passwd file 
 swap - 7678200  login message by adm1 from @home account 
  
 Deleted Inodes 
 8133 - /  Timeline  Source Code Bot 

Copyright © 2000-2008 Jessland - Jess Garcia's Website - All rights reserved.