Date:  Fri, 22 Sep 2006 10:48:33 +0200
From:  Jes Kasper Klittum <jes (at mark) enavn.com>
Subject:  [coba-e:07188] Re: psybnc (IRC Bouncer)
To:  coba-e (at mark) bluequartz.org
Message-Id:  <4513A361.6020709 (at mark) enavn.com>
In-Reply-To:  <20060922072246.M10755 (at mark) howie.co.uk>
References:  <001001c6de06$1fb54020$3200a8c0 (at mark) howies> <00ab01c6de11$ccb06380$6400a8c0 (at mark) YOUR4105E587B6> <20060922072246.M10755 (at mark) howie.co.uk>
X-Mail-Count: 07188

Just wondering if you have a folder located in /usr/share/locale called 
mk0 ? It might be invisible, but if it is there you have a SuckIt 
rootkit installed. Let me know if /usr/share/locale/mk0 exists.

/Jes

Howie Dines skrev:
> On Fri, 22 Sep 2006 02:39:04 -0400, Darrell D. Mobley wrote
>> Did you determine how he got in?
> 
> Through the front door unfortunately, logged in as admin.
> 
> I'll crawl through the logs when I get in tonight. I'll also be looking at the image of 
> the drive from 1.5 weeks ago as I had a complete system crash and had to reload totally.
> 
> This time it just looks like he has loaded the IRC code. On the system that crashed I 
> guess he was hiding his tracks fllowing a brute force style hack.
> 
> Oh well I was able to boot on a live CD and copy most things before reloading. So I may 
> have a chance to track him down.
> 
> Best Regards,
> Howie.
> 
> 

-- 
Med venlig hilsen,

Jes Kasper Klittum

enavn ApS [ Administration ]
Ringstedgade 11 A
4700 NëÔtved
-------------
enavn ApS [ Datacenter ]
Århusgade 88
2100 KÃenhavn ŽØ


Tel.: +45 88205000
Fax:  +45 88205010
support (at mark) enavn.dk