RE: there's a hacker!

Rick Warner Sat, 20 May 2000 17:22:37 -0700

A recent popular method of gaining root access to some networked machines
involved exploitation of the NXT record buffer overflow in BIND; it became
so popular in later March that CERT put out a new advisory on the problem
which had been the subject of an advisory last year.   This issue is why
RedHat 6.2 now uses a non-privileged user to run BIND.   I watched several
DNS servers for different domains get hit on the same day, and each time
the intruder  started installing one of the DDoS systems.

- rick warner -

On Fri, 19 May 2000, Burke, Thomas G. wrote:

> I'm not sure, but the 60400 port may be the Trin00 stuff...  I got hacked
> with that one, & I never did find the daemon that was running...  It looked
> a liitle to me like the script is set up to run periodically, maybe by cron
> - so check your cron.hourly, etc for something that'll run things that
> shouldn't be there...  I finally found a new copy of netcat in my /usr/bin
> directory, & removed it...
> 
> I'm still not sure how the guy broke into my machine, but however he did it,
> it was pretty transparent to me.  The only reason I realized he had done it
> was because the lazy goof didn't bother to change the scripts to point at
> what was _really_ my outgoing interface, causing my firewall to catch it &
> spew tons o' logs...
> 
> Good luck...  Maybe you can put port 60400 & the others specifically into
> hosts.deny
> ie: 60400:ALL
> 
> 
> > -----Original Message-----
> > From:       Brad [SMTP:[EMAIL PROTECTED]]
> > Sent:       Sunday, May 14, 2000 9:07 PM
> > To: [EMAIL PROTECTED]
> > Subject:    there's a hacker!
> > 
> > Dear all,
> > I am a newbie as a administrator of company's workstations.
> > Now I find(use "netstat") someone use Scorpio(one of workstaions) as a 
> > tcp proxy server at port 60400, but I don't know how to stop 
> > it.I used the "ps" command, it displayed as follows:
> >      UID   PID  PPID  C    STIME TTY      TIME CMD
> >     root     0     0  0   Jul 02 ?        0:09 sched
> >     root     1     0  0   Jul 02 ?        1:33 /etc/init -
> >     root     2     0  0   Jul 02 ?        0:57 pageout
> >     root     3     0  0   Jul 02 ?       1213:20 fsflush
> >     root   268   233  0   Jul 02 ?        1:15 /usr/openwin/bin/Xsun :0
> > -nobannd
> >     root   135     1  0   Jul 02 ?        0:24 /usr/sbin/inetd -s
> >     root   264     1  0   Jul 02 ?        0:00 /usr/lib/saf/sac -t 300
> >     root   115     1  0   Jul 02 ?        0:11 /usr/sbin/rpcbind
> >     root   107     1  0   Jul 02 ?        2:57 /usr/sbin/in.routed -q
> >     root   117     1  0   Jul 02 ?        0:00 /usr/sbin/keyserv
> >     root   207   196  0   Jul 02 ?        0:00 lpNet
> >     root   125     1  0   Jul 02 ?        0:00 /usr/sbin/kerbd
> >     root   123     1  0   Jul 02 ?        0:02 /usr/lib/netsvc/yp/ypbind
> > -broadt
> >   daemon   138     1  0   Jul 02 ?        0:00 /usr/lib/nfs/statd
> >     root   140     1  0   Jul 02 ?        0:00 /usr/lib/nfs/lockd
> >     root   163     1  0   Jul 02 ?        0:00 /usr/lib/autofs/automountd
> >     root   167     1  0   Jul 02 ?        0:01 /usr/sbin/syslogd
> >     root   186     1  0   Jul 02 ?        1:23 /usr/sbin/nscd
> >     root   220     1  0   Jul 02 ?        0:00 /usr/sbin/vold
> >     root   180     1  0   Jul 02 ?        0:47 /usr/sbin/cron
> >     root   196     1  0   Jul 02 ?        0:00 /usr/lib/lpsched
> >     root   265     1  0   Jul 02 console  0:00 /usr/lib/saf/ttymon -g -h
> > -p sco
> >     root 18358   135  0   Dec 04 ?        0:00 in.telnetd
> >     root   211     1  0   Jul 02 ?        0:04 /usr/lib/utmpd
> >     root   233     1  0   Jul 02 ?        0:40 /usr/dt/bin/dtlogin
> >     root   261     1  0   Jul 02 ?        0:00 /usr/lib/nfs/mountd
> >     root   259     1  0   Jul 02 ?        0:29 /usr/lib/nfs/nfsd -a 16
> >     root   267   264  0   Jul 02 ?        0:01 /usr/lib/saf/ttymon
> >     root  8642  8629  0   Jan 21 ?        0:30 dtgreet -display :0
> >     root  8629   233  0   Jan 21 ?        0:00 /usr/dt/bin/dtlogin
> >   nobody  7925   135  0   Nov 30 ?        0:00 fs
> >   regine 18360 18358  0   Dec 04 pts/5    0:00 -csh
> >     root  8602   135  0   Jan 21 ?        0:00 rpc.ttdbserverd
> >     root 17993   135  0                   0:00 <defunct>
> >     root 18764     1  0   Aug 30 ?        0:02 /usr/lib/sendmail -bd -q15m
> >     root  8631     1  0   Jan 21 ?        0:00 /usr/openwin/bin/fbconsole
> > -d :0
> >    oscar 13463     1  0   Mar 21 ?        0:04 ftp mew.tcs
> >     root  7439  7419  0 08:42:13 pts/7    0:00 /usr/bin/ps -ef
> >     root  7417   135  0 08:12:59 ?        0:00 in.telnetd
> >    ccchu  4607     1  0   Mar 15 ?        0:00 fs
> >     guest  7419  7417  0 08:13:00 pts/7    0:00 -csh
> >     guest  7092     1  0 19:26:45 ?        2:18 sim.v2
> > 
> > Does anybody knows how I can find the hacker ps,and stop
> > it? 
> > thanks a lot.
> > Brad
> > 
> > --------------------------------------------------------------------------
> > Brad Chun
> > [EMAIL PROTECTED]
> > "The best way to escape from your problem is to solve it." 
> > --------------------------------------------------------------------------
> > 
> > 
> > -- 
> > To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > as the Subject.
> 
> 
> -- 
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
> 
> 


-- 
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
RE: there's a hacker!

Reply via email to
