Ben Jackson wrote: >> > The files are: >> > >> > jnk.tmp >> > foosh > >Isn't `foosh' the name of the shell created by one of the rdist bug >exploit scripts? I don't have access to the archive where I have those >particular files so I can't check, sorry. > >--Ben /tmp/foosh was in fact the suid root shell generated by the second of the two rdist exploit scripts. (The one that overflowed the buffer). If you're running rdist with setuid permissions, I'd say it is a safe bet that they used rdist to break root and trojan your binaries. -- William