I'm guessing they probably installed a rootkit... Do a web search on rootkit
or rewt, & see what pops up... There used to be a site dedicated to this
stuff, but I dunno if it still exists or not... That'll explain the
different rootkits, how they work, what files they replace, etc...
Personally, I'd reinstall the binary directories & do all the updates, if I
didn't just reinstall the whole system (after backing up the appropriate
config files). You can bet that by now the hacker knows you know about him
& is trying to break back in (if he hasn't already)...
> -----Original Message-----
> From: Gary Carr [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, August 08, 2000 1:59 PM
> To: [EMAIL PROTECTED]
> Subject: Re: can not log in as root or a user
>
> Ok, I have found the replaced files in the /bin directory. They replaced
> the
> login, ls, netstat, ps, and pwd files. I have restored those from the
> backup
> and am able to get into the server again. I was able to access the server
> by
> enabling the rlogin from single user mode and logging in remotely. Is
> there
> any way to look at these files to see what exactly there were doing. I may
> be able to get additional information to track this person down. The
> anonyous ftp came from Aurora.kerszov.hu (194.196.10.181)
>
>
> Thanks,
>
>
> Gary
>
>
> > After a hack, it's possible that the pwconv program has been altered, as
> > well as the login, etc...
> >
> > Look & see if the passwd file is there or not (both the normal one & the
> pam
> > one), & see if they've been modified.
> >
> > Also, check the login program... One of the hacks on those looks like a
> > failed login, so that you try all your different passwords (thinking
> you've
> > misremembered which one to use on a particular system), and records all
> > those passwords for the cracker to use later.
> >
> > > -----Original Message-----
> > > From: Gary Carr [SMTP:[EMAIL PROTECTED]]
> > > Sent: Tuesday, August 08, 2000 1:12 PM
> > > To: [EMAIL PROTECTED]
> > > Subject: can not log in as root or a user
> > >
> > > One of our servers may have gotten hacked thru the ftp bug causing all
> > > logins to get denied. I can not log into the server as root or any
> other
> > > login unless I boot to single user mode. I have checked for the
> nologin
> > > file
> > > in the /etc directory and it is not present. What else do I need to
> check
> > > to
> > > find the cause of not being able to log into the console as root or
> any
> > > other user? BTW, I have also booted to single user mode and changed
> the
> > > root
> > > password and even run the passconv program to make sure the shadow
> file
> > > gets
> > > updated. I'm at a loss here and any help would be appreciated.
> > >
> > >
> > > Thanks,
> > >
> > > Gary
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Redhat-list mailing list
> > > [EMAIL PROTECTED]
> > > https://listman.redhat.com/mailman/listinfo/redhat-list
> >
> >
> >
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> > https://listman.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
