On Wed, 29 Apr 1998, Kevin W. Reed wrote:

> What exactly is "lots of evil stuff"....

It is definitely evil stuff and not the usual mysterious looking but
harmless things that shells tend to collect.  In this case it is smurfing
attacks.  There's also another "mystery process" running which I haven't
figured out what it does.  Right now the system is "in stasis" with the
ethernet interface down and most of the daemons disabled, while I sort out
what is going on with it.  Even the smurfs are still running around.
(though I can't imagine they're accomplishing anything with the network
cord unplugged!)

> > None of those processes had a controlling terminal.
> 
> In the case above the same...

Yes, but more importantly here, it means the intruder got away by logging
out before I could catch him.  Because of a classic hacker mistake I was
able to determine which user account the breakin occured from (of course,
maybe it's just a wily hacker pretending that someone else was responsible
- but I don't think so).  I was also able to determine where he came in
from (bulgaria, for what it's worth).

> Asside from the wierd "lots of evil stuff"... What else has been 
> moved/changed...??

tcpd was replaced with a trojan one.  RPM hasn't been able to find any
other changes (that I didn't make myself) but of course in case of
compromise I hate to consider the RPM database really authoritative.  I
will probably be reinstalling (needed it anyway), however, the thing that
gets me, is that I haven't got the foggiest idea what security hole he
used to obtain root.  I have all the errata except, as it turns out, the
2.0.7 glibc update.  However, I did have the last 2.0.6 update - and I
think that 2.0.7 was all bugfixes and no security fixes, except the FTP
DoS bug which didn't affect me as I don't run FTP on this system anyway.
Was there a potentially exploitable bug in 2.0.6?  If so, what was it?

As it happens, the exploit process is still running, even though the
exploit itself has been removed.  I know that Linux maintains a
descriptor/handle to a running program file even if it's been removed from
the filesystem and stores the inode information in the /proc system. 
Therefore, I assume that if someone has an appropriate utility (or I
figure it out from /proc)  I can recover the exploit program and track
down the hole.  That would make me a lot happier.

(This is one of those days when I'm glad my network is doubly redundant
and I can afford to just drop a server for a couple days!)



-- 
  PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
         To unsubscribe: mail [EMAIL PROTECTED] with 
                       "unsubscribe" as the Subject.

Reply via email to