Security Incidents mailing list archives
Re: RedHat compromise
From: Jim Roland <jroland () ROLAND NET>
Date: Tue, 20 Feb 2001 22:46:36 -0600
Partition tables were okay. Rebooted fine, just turned out to be an annoyance. Running ipchains and a find to locate modified files revealed no sniffing activity, just that I was denied access to the system on the usual port. He forgot that I could always use the console, and his "patch" still allowed localnet traffic to enter the box on the usual ports. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "Never settle with words what you can settle with a flamethrower" -- Anonymous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ----- Original Message ----- From: "Matteo,Marc A." <mmatteo () FUSIONSTORM COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, February 20, 2001 11:23 AM Subject: Re: RedHat compromise
Known files modified: /etc/inetd.conf: Line added "smbd2 stream tcp nowait root /usr/sbin/in.smb in.smb" /etc/services: Line added "smbd2 54321/tcp # Samba" crontab table for root: executes /usr/sbin/init every 5 minutes (the init program resides on /sbin/init and was untouched)This looks to be the same MO as another box I've seen. That smb binary is a modified telnetd (and I believe the password is "Sh!t"). And yeas, it was probably the Bind hole that got you. BTW: use fsck to check your partition map before you reboot... you probably don't have one anymore :) Marc
Current thread:
- Re: RedHat compromise, (continued)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 21)
- Re: RedHat compromise Daniel Martin (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Justin Shore (Feb 21)