Security Incidents mailing list archives
Re: Compromised...
From: friedl () MTNDEW COM (Stephen J. Friedl)
Date: Mon, 14 Feb 2000 14:17:08 -0800
At 12:30 PM 2/7/2000 -0600, you wrote:
There was a directory called ADMROCKS in /var/named.
I'm now in this select club also, and fortunately I caught it right away. The bad guy had compromised "ls", "ps", "rm", "mv", "netstat", and a host of others, and he was quite thorough. While trying to get the system back up enough to assess, I found that I could not replace certain binaries in /bin with fresh-from-CD versions: a few limited files got "operation not permitted" when I tried to rename or remove them. I was running Red Hat Linux 5.2: it is conceivable that he could have installed some kind of kernel module to have helped keep him around? I still have the old drive freeze-dried and available. Steve Stephen J. Friedl / Software Consultant / Tustin, CA / 714-544-6561
Current thread:
- Re: Compromised..., (continued)
- Re: Compromised... Jose Nazario (Feb 07)
- Re: Compromised... Jim Kinney (Feb 07)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)
- Re: Compromised... Rich Burroughs (Feb 09)
- Re: Compromised... Lane Davis (Feb 07)
- Re: Compromised... Marianovich Felix (Feb 08)
- Re: Compromised... Sebastian (Feb 08)
- 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
- hacked Anton (Feb 14)
- Re: Compromised... Stephen J. Friedl (Feb 14)
- Re: Compromised... Derek Vadala (Feb 14)
- Re: Compromised... Alexandru Popa (Feb 14)