Security Incidents mailing list archives

Taiwan server compromise

From: claudiuc () METROPOLIS ESENTIAL RO (Claudiu Costin)
Date: Fri, 26 May 2000 10:47:46 +0300


           Hi all,

   I've noted more AXFR's from a comercial
taiwan site. After nmap scan I found more
services open and especially telnet.
  In few steps using home page email address
(which have same password as login name) I
tried to telnet. Surprise! Even password
wasn't necessary. Looking in /etc/passwd
I found as last line a user (craker :)
account with uid=0.

  What can I do? I don't have experience
with this situations.

P.S. 1) I not tried to "verify" weakness for
rest of accounts, but who know?
     2) I send a mail on "service" account
explaining compromise.

regards,

--
Claudiu COSTIN
<claudiuc () metropolis esential ro>

Current thread:

Attacks on port 25, (continued)
- - - Attacks on port 25 Vincent Lim (May 25)
    - Re: Attacks on port 25 Ryan Russell (May 26)
    - Re: Attacks on port 25 Bill Lavalette (May 28)
    - Re: Attacks on port 25 RayW (May 29)
    - invalid icmp in linux? Eric LeBlanc (May 27)
    - Re: invalid icmp in linux? Jose Nazario (May 28)
    - weird scan pattern Joe H (May 28)
    - Re: weird scan pattern Russell Fulton (May 29)
    - IDS: Scan of the week Lance Spitzner (May 30)
    - 5 scans of 12345 in a couple of hours. AUSCERT#36349 Russell Fulton (May 31)
    - Taiwan server compromise Claudiu Costin (May 26)
    - Re: Taiwan server compromise Vortex (May 26)
    - port 44767 activity Nathan Fain (May 28)
    - Re: AMDROCKS Alejandro (May 26)
    - Re: AMDROCKS J. S. Townsley (May 26)
    - Re: AMDROCKS Lance Spitzner (May 26)
    - Re: AMDROCKS Matthew F. Caldwell (May 26)
    - CERT's Handbook for Computer Security Incident Response Teams (CSIRTs) Elias Levy (May 26)