OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Connection from unknown
From: Mike Worman (wormanNIC.UMASS.EDU)
Date: Mon Oct 23 2000 - 09:17:37 CDT

MyServer is a little known DDOS agent that was running around late in
the summer.
It binds to UDP 55850, and the rootkit installs trojans of ls and ps, so
you won't see
it running. You WILL see it with netstat though. The rootkit and ddos
tools are
stored in "/lib/ "

-mW

Piotr Kurys wrote:
>
> Hello Everybody!
>
> How do you think, what should or could or does such logs (/var/log/secure)
> mean:
>
> Oct 15 00:17:40 MyServer tcpd[982]: connect from unknown
> Oct 15 00:17:40 MyServer tcpd[982]: warning: can't get client address:
> Socket operation on non-socket
> Oct 15 00:17:40 MyServer tcpd[982]: connect from unknown
> Oct 15 00:17:40 MyServer tcpd[982]: warning: can't get client address:
> Socket operation on non-socket
> ..... the same through a few minutes .....
> Oct 15 00:17:40 MyServer tcpd[982]: connect from unknown
> Oct 15 00:17:40 MyServer tcpd[982]: warning: can't get client address:
> Socket operation on non-socket
> Oct 15 00:17:40 MyServer tcpd[982]: connect from unknown
> Oct 15 00:17:40 MyServer tcpd[982]: warning: can't get client address:
> Socket operation on non-socket
>
> Thank you very much for your help
>
> Piotr
>
> ---------------------------------------------------------------------------
> Peter In Person
> ---------------------------------------------------Cudowna jest Marylka!--- 

--
Mike Worman
Network Systems and Services
University of Massachussetts
wormannic.umass.edu
(413) 545-9639