Sorry if this question is obvious but I am still learning. Do you know how your
system was compromised?
On 23-Mar-2000 Todd Black wrote:
>
> Hello
>
> I originally started writing this becasue I wanted to know if my ethernet
> card could put itself into promiscuous mode (even though I was pretty
> sure of the answer), but its now more of a log of my search through the
> system..
>
> My colleague came in last night to find that our network was being
> flooded. On further investigation he traced it to my server and pulled the
> patch cable from the wall. I checked the logs this morning and found the
> following..
>
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Mar 22 17:11:24 jenner kernel: imp uses obsolete (PF_INET,SOCK_PACKET)
> Mar 22 17:11:24 jenner kernel: eth0: Setting promiscuous mode.
> Mar 22 17:11:24 jenner kernel: device eth0 entered promiscuous mode
>
>
> Security Violations
> =-=-=-=-=-=-=-=-=-=
> Mar 22 18:12:48 jenner login: FAILED LOGIN 1 FROM (null) FOR , User not
> known to the underlying authentication module
> Mar 22 18:12:48 jenner login: FAILED LOGIN 2 FROM (null) FOR , User not
> known to the underlying authentication module
> Mar 22 18:13:11 jenner login: FAILED LOGIN 3 FROM (null) FOR , User not
> known to the underlying authentication module
> Mar 22 18:13:11 jenner login: FAILED LOGIN SESSION FROM (null) FOR , User
> not known to the underlying authentication module
>
>
>
> So i ran tripwire and found a reference to "imp".
>
> /dev/sda69/. /t00ls/imp
> st_ino: 42968 42937
> ---> File: '/dev/sda69/.\040/t00ls/imp'
> ---> Update entry? [YN(y)nh?]
>
> So i went to /dev/sda69/. /t00ls which I'm pretty sure shouldn't be
> there?? it had other files in it such as
>
> check fin.secure hell imp orgasm secure
> ssynk4 udp.l check.c foo hunt.tar linsmaq
> phonix slice stealth duy getcast iffit.tar
> milk psmurf sm thc
>
> A quick look in check.c revealed
>
> printf("\n .:( cr0n v1.0 ):. by c0de red ");
> printf("\n The best vulnerability scanner ");
>
>
> I don't think there's much point going any further.. I guess a full
> re-install is the only way to fix it.
>
> Regards
> Todd
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
Uptime: 9:28pm up 16 days, 3:11, 1 user, load average: 0.02, 0.01, 0.00
----------------------------------
Steven J. Gulick
Cornerstone Development, LLC.
Voice (203) 855-1501
Fax (203) 838-9597
E-Mail: [EMAIL PROTECTED]
Date: 22-Mar-2000 Time: 21:28:22
----------------------------------
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
