Re: RedHat compromise

[Jim Roland <jroland () ROLAND NET>]

Partition tables were okay.  Rebooted fine, just turned out to be an
annoyance.  Running ipchains and a find to locate modified files revealed no
sniffing activity, just that I was denied access to the system on the usual
port.  He forgot that I could always use the console, and his "patch" still
allowed localnet traffic to enter the box on the usual ports.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Roland, RHCE (RedHat Certified Engineer)
Owner, Roland Internet Services
    "Never settle with words what you can settle with a flamethrower"
          -- Anonymous
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

----- Original Message -----
From: "Matteo,Marc A." <mmatteo () FUSIONSTORM COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, February 20, 2001 11:23 AM
Subject: Re: RedHat compromise


> > Known files modified:
> >     /etc/inetd.conf:  Line added "smbd2    stream    tcp
> > nowait    root    /usr/sbin/in.smb    in.smb"
> >     /etc/services:    Line added "smbd2    54321/tcp    # Samba"
> >     crontab table for root:  executes /usr/sbin/init every 5
> > minutes (the init program resides on /sbin/init and was untouched)
>
> This looks to be the same MO as another box I've seen.  That smb binary
> is a modified telnetd (and I believe the password is "Sh!t").  And yeas,
> it was probably the Bind hole that got you.
>
> BTW: use fsck to check your partition map before you reboot... you
> probably don't have one anymore :)
>
> Marc