VanLUG Email Archive
Adam Jinks (adam@simmerdown.com)
Sun, 20 Feb 2000 13:21:40 -0800 (PST)
->(for those interested, the intruder first compromised a UBC system Dec
->28th, probably using wu-ftpd, set up a packet sniffer, grabbed some
->passwords for some of ours, logged onto an Alpha, hopped to a Linux box
->(which didn't allow telnet from offsite), got root via (I think) a crontab
->exploit, set up another packet sniffer and a rootkit, and hopped to
->another Linux box, at which point someone noticed and unplugged things...)
one of my servers was cracked on friday night by using (what looks like) a
bind pre 8.2.x exploit. i'd advise all who are running bind to upgrade to
8.2.2 patch5 if you haven't already.
but speaking of root kits, does anyone know how to tell if someone's
installed a root kit? for some reason i can't log on to ttyp1,
ttyp0,2,3.. are ok though. doing a finger shows no-one logged on to that
terminal. this started happening after the intrusion (cosmic
coincidence?).
i checked the dates and sizes of some of the files a root kit would alter
such as finger, ps, top, etc. but they all appear fine.
any theories/suggestions would be appreciated because i'd like to know if
my server is now doing some malevolent cracker's evil bidding.
aj
-- This message came to you via the Vancouver Linux Users Group mailing list. For unsubscription instructions do not email the list, but rather send mail to <vanlug-request@gweep.bc.ca>.
This archive was generated by hypermail 2.0b3 on Sun 20 Feb 2000 - 21:22:50