[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] OT: Break-In report

From: Rob Owens <rob owens biochemfluidics com>
To: "Support list for open source software in schools." <k12osn redhat com>
Subject: Re: [K12OSN] OT: Break-In report
Date: Wed, 02 Jan 2008 09:52:53 -0500

Les Mikesell wrote:
> Rob Owens wrote:
>>
>> I particularly like the use of " " as a directory name.  Nice and
>> invisible.  Also note that the invader put his files in two
>> directories which have the "sticky" bit set:  /dev/shm and /var/tmp
>>
>> In the end, it seems that all the invader succeeded in doing was a
>> bunch of port-scanning.  The OS is going to be re-installed anyway,
>> just to be safe.
> 
> It is probably looking for additional systems to compromise, and may
> have  reported itself back to some controlling system.
> 
Yes, that is exactly what it was doing.  We found a list of usernames
(members of some group on the internet) and it looked like it was
notifying these users that the system was "open for business"

-Rob

References:
- [K12OSN] OT: Break-In report
  - From: Rob Owens
- Re: [K12OSN] OT: Break-In report
  - From: Les Mikesell

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]