[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: recent breakins and things to look out for

On Wed, Apr 26, 2000 at 11:09:22AM -0700, Andrew Morgan wrote:
> [In the majority of cases that I was able to follow up with, this was
> related to a malicious attack: /bin/login and /usr/bin/passwd were
> replaced with 'intruder friendly ones'.

I investigated such a break-in a couple of days ago on an OpenLinux
box. It appears that the intruders did not alter the RPM package database
so it was quite simple to pin down what files got changed. I cannot
tell exactly because the machine's owner had already partly restored
it. I did however notice that login had been replaced, as well as
crond and crontab. The attackers did leave parts of an intrusion kit
in some subdirectory of /dev.

During an earlier attack on that machine, attackers had also installed
a network sniffer as /usr/sbin/rpc.nlsd, that was writing its log
info to another subdirectory of /dev.

> My advice so far has been and will continue
> to be "reinstall your system from CD and be sure to install all of the
> available updates", but this is not always well received.]

That's my advice as well.

Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.            

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []