Possible break-in
Pete Nesbitt
pete at linux1.ca
Fri May 14 00:28:06 UTC 2004
On May 13, 2004 10:55 am, Ashley M. Kirchner wrote:
> I'm looking at a possible unauthorized access to one of our servers
> running Fedora Core 1 with all the current updates. The infected
> (modified) files are:
>
> "/usr/sbin/nstat"
> "/usr/sbin/rtacct"
> "/usr/sbin/rtstat"
> "/usr/sbin/ss"
>
> "/usr/lib/libcups.so.2"
> "/usr/lib/libcupsimage.so.2"
> "/usr/lib/libijs.so"
> "/usr/lib/libpng12.so.0.1.2.2"
>
> "/sbin/ip"
> "/sbin/tc"
> "/sbin/rtmon"
>
> ...and just about all of the user binaries that come with
> netpbm-progs-9.24-12.1.1
>
> I first noticed changes in those files yesterday and reverted them
> back to originals, and re-ran tripwire to check, and update the
> database. They're changed again today.
>
> The system has already been taken care off in terms of nuking it off
> the net. My question is, how they got in? chrootkit didn't detect
> anything, at least not in it's set of checks, which leads me to believe
> that either they're not aware of this particular break-in, or it's
> something else.
>
> Does anyone have any insight on this?
>
> --
> W | I haven't lost my mind; it's backed up on tape somewhere.
> +--------------------------------------------------------------------
> Ashley M. Kirchner <mailto:ashley at pcraft.com> . 303.442.6410 x130
> IT Director / SysAdmin / WebSmith . 800.441.3873 x130
> Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave. #6
> http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
Hi,
We had a solaris box hacked the other day. The machine is off-line but has not
been looked at. So far it looks like there was a sendmail vulnerability that
came out around the 8th (from what I could find) and we got hacked on the 9th
(at least that is when a "eee" and a "r00t" accont showed up.
Does your box have sendmail listening to the outside?
--
Pete Nesbitt, rhce
More information about the redhat-list
mailing list