Hackers are unstoppable!
Ben Mohilef
benm at dsl-only.net
Mon Aug 29 00:07:48 UTC 2005
On 28 Aug 2005 at 17:43, Webmaster wrote:
> We have not been able to determine how a hacker was eble to crack one
> of our hosts and deposit binaries on all the hosts in our network (all
> hosts are FC3).
>
> A tripwire report shows the following binaries as being modified. We
> think this is part of "ethereal," an IP packet sniffer. Because so
> many files have been modifed (these are just the ones in /usr/bin), we
> decided to wipe the system and install FC4. chkrootkit.0.45 sometimes
> reports that an LKM trojan has been installed, but it does not report
> a problem each time it is invoked.
>
> This would be a hack to watch out for, as a sniffer on a web host may
> have been put there presumably to capture data in submitted forms
> (like credit card numbers).
>
> Suggestions as how to prevent this sort of thing would be entertained!
> We've already done the usual things like disallow telnet, use the
> soft firewall that comes with FC3, no anonymous FTP, no known bad php
> apps (like phpBB).
>
> Modified:
> "/usr/bin"
> "/usr/bin/411toppm"
etc.
>
Aren't those binaries all from netpbm, which just got an update?
Could they have been changed by up2date automagically?
More information about the fedora-list
mailing list