Security Incidents mailing list archives
Re: RedHat compromise
From: "Matteo,Marc A." <mmatteo () FUSIONSTORM COM>
Date: Tue, 20 Feb 2001 09:23:29 -0800
Known files modified: /etc/inetd.conf: Line added "smbd2 stream tcp nowait root /usr/sbin/in.smb in.smb" /etc/services: Line added "smbd2 54321/tcp # Samba" crontab table for root: executes /usr/sbin/init every 5 minutes (the init program resides on /sbin/init and was untouched)
This looks to be the same MO as another box I've seen. That smb binary is a modified telnetd (and I believe the password is "Sh!t"). And yeas, it was probably the Bind hole that got you. BTW: use fsck to check your partition map before you reboot... you probably don't have one anymore :) Marc
Current thread:
- RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 21)
- Re: RedHat compromise Daniel Martin (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Justin Shore (Feb 21)