[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

recent breakins and things to look out for



Hi,

Over the last two weeks I've had a number of people ask me about the
following problem: "I can no longer log in with telnet or login" (Red
Hat 6.1).

In both cases the reason stemmed from the login program not being a PAM
enabled one. In other words

  ldd /bin/login

did not show signs of it being linked with libpam. This is not a PAM
related failure, but a side effect of someone replacing the login
binary.

[In the majority of cases that I was able to follow up with, this was
related to a malicious attack: /bin/login and /usr/bin/passwd were
replaced with 'intruder friendly ones'. The log entries that PAM and
identd logged were able to pin down the time that the attacker connected
and ftp'd their exploit kit. If anyone recognizes this mode of attack
and can point me to a more complete description of what generally gets
infected, I'd be grateful. My advice so far has been and will continue
to be "reinstall your system from CD and be sure to install all of the
available updates", but this is not always well received.]

Cheers

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []