Security Incidents mailing list archives

Re: Root password changed

From: Adam Bultman <adamb () glaven org>
Date: Mon, 6 Jan 2003 15:38:44 -0500 (EST)

Sounds like someone used a vulnerability in a service you have open and 
got it running.  I don't know if you checked using the more advanced 
tools, but you might want to run the more powerful IDSes and programs that 
will be able to check files/binaries on a deeper level than doing an `ls 
-la' (as rootkits will install binaries that hide proceses, files, 
etc).

I'd also suggest you check other servers that have other services 
available.  They may have gotten onto another system and compromised that 
server via another service not available to the outside (but of course, 
I know nothing of your internal network).
  
My systems run tripwire, chkrootkit, and logsentry which gives me 
info on what is happening on my servers. I prefer verbose logging, rather 
than my predecessor's 'Hear no evil, see no evil' policy of sending 
everything to /dev/null.   

Id start comparing filesizes between that and another similar system to 
see if you have been trojaned or cracked, or if you have been for some 
time. 

Either way, I'd prep another server to replace that one, as I personally 
will not trust a server that has been trojaned or compromised in that 
fashion.  

-- 
adamb () glaven org
[ www.glaven.org ]

On Fri, 3 Jan 2003, RCS wrote:

I have no idea how the root password on my FreeBSD 4.0 system was =
changed, only I have access to it and I have only SMTP (sendmail =
8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else =
is restricted by ACLs at the router.

I had to enter single user mode and change it today.

I have thoroughly checked running processes and the logs and there is =
nothing suspicious.=20

Please give me your opinion on what could have caused this.=20

Thanks

--
Roberto Cardona Jr.      =20

--
Roberto Cardona Jr.       
IT/IS Manager 
Corporate Office Centers | http://www.corporateofficecenters.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Root password changed RCS (Jan 06)
- Re: Root password changed james (Jan 07)
- RE: Root password changed Michael LaSalvia (Jan 07)
- Re: Root password changed Chris Barford (Jan 07)
- Re: Root password changed sysadmin (Jan 07)
- Re: Root password changed Adam Bultman (Jan 07)
- Re: Root password changed Joe Kattner (Jan 07)
- Re: Root password changed Lisa Casey (Jan 07)