Jim McCloskey said: > > I've not had to deal with such an exploit before, so I would really > appreciate any advice that's going. I've stopped the lprng daemon > for now, until I can tighten things up.
depending on the box and it's uses most likely if it was mine i would reinstall. thats really the only way to be sure. otherwise, keep an eye on /etc/passwd for trojan accounts. ive had a redhat system compromised by an old lpd exploit about a year ago. the system was unmaintained and one day i logged in to find a few new accounts on the system :) also do routine nmap scans on it both tcp and udp for anything unusual listening. i reccomend firewalling(i don't trust tcp_wrappers) anything thats not in use.. feel free to nmap my machine portal.aphroland.org and you'll see the dozens and dozens and dozens ofports i have firewalled. i re nmap scan everytime i boot the system since the rpc services use a semi-random port when they load. and i need rpcs for nfs for my internal network..i wish i could get rpcs to bind to a specific nic that would be a huge improvement. i wish ipchains had the ability to firewall a range of ports like ipf does. or wish someone would just port ipf to kernel 2.2 :) im not usin 2.4 anytime soon. would make things much easier i would just firewall 500-1023 and not have to nmap each time, and not have to have 500 individual rules for each port! i just need to turn my freebsd machine into a real firewall instead of a server that sits there and does nothing .. the main thing tho is /etc/passwd. from the 2 systems ive had compromised(1 last year, 1 about 4 years ago) both had new accounts on them. and i would try to dig up an exploit for that lprng bug and see if it works on your system. maybe you can get a better idea if you were compromised or not, from the look of the logs and the brief report i skimmed on securityfocus it seems quite likely you were - even though youmay have a newer version then what was once affected. nate
