OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
AW: [suse-security] initsys prozess / rootkit? trojan?

From: Wanning, Mike (wanningBEGROS.DE)
Date: Mon Jun 02 2003 - 05:09:19 CDT

Hi Robert, Hi List,

I've found some Informations about initsys:

www.giac.org/practical/Edmo_Filho_GCIH.doc says:
"initsys is a session hijacking tool that can be remotely connected by using
another session hijacking tool called Hunt."

Mike Wanning

> -----Ursprüngliche Nachricht-----
> Von: Robert Schelander [mailto:rschelanderaon.at]
> Gesendet: Montag, 2. Juni 2003 02:57
> An: suse-securitysuse.com
> Betreff: [suse-security] initsys prozess / rootkit? trojan?
>
>
> Does someone know what this 'initsys' process is good for?
> I've never seen
> in on any of my systems before. Could it be part of a
> rootkit? I found the
> binary in /usr/bin/initsys
>
> thanks in advance
> Robert
>
>
> USER PID %CPU %MEM VSZ RSS TTY STAT START
> TIME COMMAND
> root 1 0.2 0.0 448 64 ? S 01:05
> 0:07 init [5]
> root 2 0.0 0.0 0 0 ? SW 01:05
> 0:00 [keventd]
> root 3 0.0 0.0 0 0 ? SW 01:05
> 0:00 [kapmd]
> root 4 0.0 0.0 0 0 ? SWN 01:05 0:00
> [ksoftirqd_CPU0]
> root 5 0.0 0.0 0 0 ? SW 01:05
> 0:00 [kswapd]
> root 6 0.0 0.0 0 0 ? SW 01:05
> 0:00 [bdflush]
> root 7 0.0 0.0 0 0 ? SW 01:05
> 0:00 [kupdated]
> root 10 0.0 0.0 0 0 ? SW< 01:05 0:00
> [mdrecoveryd]
> root 14 0.0 0.0 0 0 ? DW 01:05
> 0:00 [hpt_wt]
> root 15 0.0 0.0 0 0 ? SW 01:05
> 0:00 [kreiserfsd]
> root 23 0.0 0.2 1312 332 ? S 01:05
> 0:00 initsys
> root 256 0.0 0.5 1840 640 ? S 01:05 0:00
> /usr/sbin/apmd
> root 410 0.0 0.5 1408 640 ? S 01:05 0:00
> /sbin/syslogd
> root 413 0.0 0.8 1904 1116 ? S 01:05 0:00
> /sbin/klogd -c 1
> root 449 0.0 0.0 0 0 ? SW 01:05
> 0:00 [khubd]
> bin 693 0.0 0.3 1344 404 ? S 01:05 0:00
> /sbin/portmap
> .....
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-helpsuse.com
> Security-related bug reports go to securitysuse.de, not here
>

Gesendet über Mailserver: begros.de! Trotz sorgfältiger Virenprüfung können wir für eventuelle Schäden, die durch nicht erkannte Computerviren entstehen, keine Haftung übernehmen.