Security Incidents mailing list archives
RE: ckcool?
From: "Bob Maccione" <Bob_Maccione () hilton com>
Date: Wed, 20 Feb 2002 16:51:14 -0600
It appears that the he had opened the FTP and Telnet ports on the Linksys and I noticed a line in the /var/log/messages indicating that root was aquired via ftp. (i don't have the disk here right now but am going to mount it up on a box at home to look at the filesystem). Luckly it wasn't a professional job since there was a home dir called ckcool and the .so's that were changed were in there. There was also a passwd-, etc in /etc. I'm going to take the disk back home and will attempt to summarize the findings. thanks all, bobm
-----Original Message----- From: James <jlotts () gte net>@INTERNET@HHC Sent: Wednesday, February 20, 2002 4:34 PM To: Bob Maccione Cc: incidents () securityfocus com Subject: Fw: ckcool? <<...>> There are not any vulnerabilities that I know of. He probably had that server set as a 'DMZ server', which in Linksys terms, means that it is completely open to the Internet. Were I to hazzard a guess, it was probably changed from the inside. Do you know if he had the default password set, or remote administration enabled? James-----Original Message----- From: Bob Maccione [mailto:Bob_Maccione () hilton com] Sent: Tuesday, February 19, 2002 8:45 AM To: 'incidents () securityfocus com' Subject: ckcool? I have a friend that got hacked running linux. Luckly it's an inmature enough hack that the mess left behind told me what happened. In thiscase auser was created called 'ckcool' and then a rootkit was thrown down.I'mgoing to get the disk from him to see what all was done but one thing puzzled me. It seems that the password on the Linksys firewall/routerwasalso changed. Has anyone seen/heard of any vulnerabilities in the Linksys Cable/DSL router/firewalls? thanks bob-------------------------------------------------------------------------- --This list is provided by the SecurityFocus ARIS analyzer service. Formoreinformation on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- ckcool? Bob Maccione (Feb 20)
- Re: ckcool? Johan Denoyer (Feb 22)
- Re: ckcool? Chris Wilkes (Feb 22)
- <Possible follow-ups>
- Re: ckcool? Mike Shaw (Feb 22)
- RE: ckcool? Bob Maccione (Feb 22)
- Fw: ckcool? James (Feb 22)