[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Someone hacking into our system.

From: Bernhard Rosenkraenzer <bero redhat de>
To: Michael Hatchard <mhatch northside net au>
Cc: "'redhat-list redhat com'" <redhat-list redhat com>, recipient list not shown: ;
Subject: Re: Someone hacking into our system.
Date: Sat, 1 Jan 2000 16:15:15 +0100 (CET)

On Sun, 2 Jan 2000, Michael Hatchard wrote:

> Someone has hacked into our system.
> I'm not quite sure how he is getting in.

He's almost certainly using the "RSA buffer overrun" exploit in ssh.
Try replacing ssh with OpenSSH from
ftp://ftp.redhat.de/pub/rh-addons/security/

> pico

I've never seen anyone with a lot of Unix experience use pico as his
primary editor. It's probably a script kiddie without much of a clue.

> pico /etc/inetd.conf
> killall -9 inetd

You'll want to check your inetd.conf. He might have added a "feature" like
"telnet to port xyz to get a rootshell without needing a password", either
by calling /bin/sh directly or by calling the uid thing he put on your
system.

> File uid.c contains
> #include <unistd.h>
> main ()
> {
> setguid(0)
> setuid(0)
> excel("/bin/sh","/bin/sh",NULL);
> }

A wrapper to /bin/sh

> There are also new config files for ssh in /etc

Completely remove ssh and all its config files, and install the OpenSSH
RPMs.

LLaP
bero

-- 
Nobody will ever need more than 640 kB RAM.
		-- Bill Gates, 1983
Windows 98 requires 16 MB RAM.
		-- Bill Gates, 1999
Nobody will ever need Windows 98.
		-- logical conclusion

References:
- Someone hacking into our system.
  - From: Michael Hatchard

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]