Security Incidents mailing list archives
Re: Root password changed
From: Adam Bultman <adamb () glaven org>
Date: Mon, 6 Jan 2003 15:38:44 -0500 (EST)
Sounds like someone used a vulnerability in a service you have open and got it running. I don't know if you checked using the more advanced tools, but you might want to run the more powerful IDSes and programs that will be able to check files/binaries on a deeper level than doing an `ls -la' (as rootkits will install binaries that hide proceses, files, etc). I'd also suggest you check other servers that have other services available. They may have gotten onto another system and compromised that server via another service not available to the outside (but of course, I know nothing of your internal network). My systems run tripwire, chkrootkit, and logsentry which gives me info on what is happening on my servers. I prefer verbose logging, rather than my predecessor's 'Hear no evil, see no evil' policy of sending everything to /dev/null. Id start comparing filesizes between that and another similar system to see if you have been trojaned or cracked, or if you have been for some time. Either way, I'd prep another server to replace that one, as I personally will not trust a server that has been trojaned or compromised in that fashion. -- adamb () glaven org [ www.glaven.org ] On Fri, 3 Jan 2003, RCS wrote:
I have no idea how the root password on my FreeBSD 4.0 system was = changed, only I have access to it and I have only SMTP (sendmail = 8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else = is restricted by ACLs at the router. I had to enter single user mode and change it today. I have thoroughly checked running processes and the logs and there is = nothing suspicious.=20 Please give me your opinion on what could have caused this.=20 Thanks -- Roberto Cardona Jr. =20 -- Roberto Cardona Jr. IT/IS Manager Corporate Office Centers | http://www.corporateofficecenters.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Root password changed RCS (Jan 06)
- Re: Root password changed james (Jan 07)
- RE: Root password changed Michael LaSalvia (Jan 07)
- Re: Root password changed Chris Barford (Jan 07)
- Re: Root password changed sysadmin (Jan 07)
- Re: Root password changed Adam Bultman (Jan 07)
- Re: Root password changed Joe Kattner (Jan 07)
- Re: Root password changed Lisa Casey (Jan 07)