Security Incidents mailing list archives
Re: RedHat compromise
From: "Fabio Pietrosanti (naif)" <naif () INET IT>
Date: Wed, 21 Feb 2001 16:24:13 +0100
What About init from crontab every 5 minutes... does it start with a /sbin/init q ? Perhaps /etc/inittab was trojaned to start something ? Pietrosanti Fabio I.NET SpA, High Quality Access to the Internet e-mail: naif () inet it ( Direzione Tecnica, Security Staff ) firewall () inet it PGP Key (DSS) http://naif.itapac.net/naif.asc Home Page URL: http://www.inet.it Sede: Via Darwin, 85 20019 Settimo Milanese (MI) Tel: 02-328631 Fax: 02-328637701 -- Free advertising: www.openbsd.org - Multiplatform Ultra-secure OS On Mon, 19 Feb 2001, Jim Roland wrote:
Date: Mon, 19 Feb 2001 15:43:47 -0600 From: Jim Roland <jroland () ROLAND NET> To: INCIDENTS () SECURITYFOCUS COM Subject: RedHat compromise I have a customer who had one RH61 system compromised. Symptoms: Unable to telnet to the box nor acquire a POP3 connection (drops connection) from outside. You can telnet to the box from the locally attached subnet w/o problem. Known files modified: /etc/inetd.conf: Line added "smbd2 stream tcp nowait root /usr/sbin/in.smb in.smb" /etc/services: Line added "smbd2 54321/tcp # Samba" crontab table for root: executes /usr/sbin/init every 5 minutes (the init program resides on /sbin/init and was untouched) No Samba/SMB services were installed on this system by me and it's NAMED server (bind) was current as per RedHat. From the remote network, I am able to telnet to port 54321 and get a telnet prompt on the box. Further investigation shows that all TCP connections are denied. No IP addresses are reflected in /var/log/messages nor /var/log/secure, and I am unable to determine from where the attack came, but date/time stamp on the files shows it occured on Feb 19, at 05:05 localtime. How can I find where it came from? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "Never settle with words what you can settle with a flamethrower" -- Anonymous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 21)
- Re: RedHat compromise Daniel Martin (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Justin Shore (Feb 21)