Possible break-in
Manuel Nauta
mnauta at cisaustin.org
Thu May 13 17:56:56 UTC 2004
Just curious, was this server behind a firewall? If so, what
kind and what ports were open?
manuel
----- Original Message Follows -----
>
> I'm looking at a possible unauthorized access to one
> of our servers running Fedora Core 1 with all the current
> updates. The infected (modified) files are:
>
> "/usr/sbin/nstat"
> "/usr/sbin/rtacct"
> "/usr/sbin/rtstat"
> "/usr/sbin/ss"
>
> "/usr/lib/libcups.so.2"
> "/usr/lib/libcupsimage.so.2"
> "/usr/lib/libijs.so"
> "/usr/lib/libpng12.so.0.1.2.2"
>
> "/sbin/ip"
> "/sbin/tc"
> "/sbin/rtmon"
>
> ...and just about all of the user binaries that come
> with netpbm-progs-9.24-12.1.1
>
> I first noticed changes in those files yesterday and
> reverted them back to originals, and re-ran tripwire to
> check, and update the database. They're changed again
> today.
> The system has already been taken care off in terms of
> nuking it off the net. My question is, how they got in?
> chrootkit didn't detect anything, at least not in it's
> set of checks, which leads me to believe that either
> they're not aware of this particular break-in, or it's
> something else.
> Does anyone have any insight on this?
>
> --
> W | I haven't lost my mind; it's backed up on tape
> somewhere.
>
> +---------------------------------------------------------
> -----------
> Ashley M. Kirchner <mailto:ashley at pcraft.com> .
> 303.442.6410 x130
> IT Director / SysAdmin / WebSmith .
> 800.441.3873 x130
> Photo Craft Laboratories, Inc. . 3550
> Arapahoe Ave. #6
> http://www.pcraft.com ..... . . . Boulder, CO
> 80303, U.S.A.
>
>
>
> --
> redhat-list mailing list
> unsubscribe
> mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list