SLUG Mailing List Archives
Re: [SLUG] Suscpicious IRCd connections
- To: <slug@xxxxxxxxxxx>
- Subject: Re: [SLUG] Suscpicious IRCd connections
- From: "Chris Samuel" <chris@xxxxxxxxxxx>
- Date: Sun Dec 1 19:38:03 2002
* First off - no flames for using Outlook Distress please - my
* Linux boxes are in a container on a ship or on a dock at the moment
* so for the moment I'm using my wife's laptop.. :-)
> Not good. There're two syslogd binaries:
Hmm, certainly the Adore rootkit creates that during install, but it's not
the only one to use that trick. A report on a Honeyport (RH6.2) that's been
Adore'd is at:
Interestingly, he mentions that the person who took over that box was using
it to bounce IRC connections off of (to legit IRC servers, not imposters
like you were seeing though) and talking to others on Romanian IRC channels.
Your logs of DNS queries show lookups to some Romanian sites too (though not
There's another report of another rootkit (lrk4) that also dumped a
Hey ho. Sounds like a backup and reformat job to me.
If you want more help you could try the incidents list out of securityfocus,
I lurked there quite a bit whilst working in the UK and they can be quite
helpful there, especially if you've got something that looks a bit out of
Best of luck!