Possible break-in
Ashley M. Kirchner
ashley at pcraft.com
Thu May 13 17:55:03 UTC 2004
I'm looking at a possible unauthorized access to one of our servers
running Fedora Core 1 with all the current updates. The infected
(modified) files are:
"/usr/sbin/nstat"
"/usr/sbin/rtacct"
"/usr/sbin/rtstat"
"/usr/sbin/ss"
"/usr/lib/libcups.so.2"
"/usr/lib/libcupsimage.so.2"
"/usr/lib/libijs.so"
"/usr/lib/libpng12.so.0.1.2.2"
"/sbin/ip"
"/sbin/tc"
"/sbin/rtmon"
...and just about all of the user binaries that come with
netpbm-progs-9.24-12.1.1
I first noticed changes in those files yesterday and reverted them
back to originals, and re-ran tripwire to check, and update the
database. They're changed again today.
The system has already been taken care off in terms of nuking it off
the net. My question is, how they got in? chrootkit didn't detect
anything, at least not in it's set of checks, which leads me to believe
that either they're not aware of this particular break-in, or it's
something else.
Does anyone have any insight on this?
--
W | I haven't lost my mind; it's backed up on tape somewhere.
+--------------------------------------------------------------------
Ashley M. Kirchner <mailto:ashley at pcraft.com> . 303.442.6410 x130
IT Director / SysAdmin / WebSmith . 800.441.3873 x130
Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave. #6
http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
More information about the redhat-list
mailing list