nanog mailing list archives
RE: resolved Re: should i publish a list of cracked machines?
From: Roeland Meyer <rmeyer () mhsc com>
Date: Thu, 23 Aug 2001 10:32:59 -0700
|> From: Jim Mercer [mailto:jim () reptiles org] |> Sent: Thursday, August 23, 2001 9:39 AM |> my suspicions and some things to look for: |> |> - boxes were comprimised using the buffer overflow in |> telnetd (speculation) |> - my box had a bogus /usr/sbin/nscd (which is not a normal |> FreeBSD binary) |> - nscd appears to be a hacked sshd, listening on a 14000 series port |> - it had its own /etc/ssh_* config files (FreeBSD puts them |> in /etc/ssh/ssh_*) |> - there was a file in /dev/ptaz which appeared to be DES crypto gunge |> - there were a bunch of irc/eggdrop related files in a ".e" |> directory of |> one of the user's $HOME |> |> suggestions for looking about: |> |> - do an ls -lta in bindirs, my systems generally have all |> /bin /usr/bin files |> with the same timestamp |> |> - do a "du /dev" and look for anomalies |> - do a "cd /dev ; ls -l | grep -e-" and look for anomalies |> - do a "ls -ltra /" (as well as /usr and /usr/local) and |> look for anomalies Shorter answer ... run tripwire.
Current thread:
- RE: resolved Re: should i publish a list of cracked machines? Roeland Meyer (Aug 23)
- <Possible follow-ups>
- RE: resolved Re: should i publish a list of cracked machines? Roeland Meyer (Aug 23)