There are many ways they may have broken into your system. Old versions
of BIND, sshd with RSAREF2, wu-ftpd with the SITE EXEC problem, and on and
on it goes. You will need to do a thorough security review of the system.
But, the main message is shutting off telnet has probably NOT stopped them
at all. Most of the DDoS attack tools have master/slave capabilities and
the master often gives them a back door. If the master is still there,
they are still getting in most likely. Also look to see if they modified
inetd.conf ; one of the simple backdoors that is often installed is to add
a line to inetd.conf that will fire off sh -i or bash -i when a certain
port is hit. Another backdoor is to replace inetd with a version that has
a built-in backdoor. You really should take the machine off-line, do
comparisons of binaries against the installed packages, clean up the
machine, and harden it before putting it back on-line. www.cert.org has a
section on how to recover from compromises.
- rick warner
On Wed, 4 Oct 2000, Brian Schneider wrote:
> I was hacked last night I was suddenly getting a huge load on my
> system. Looking at "top", I found a file td running with many
> instances. In searching, I found the file in /dev/chr/client. I found
> where the user x and noc were used and then deleted.
>
> How can I find where the logins came from. For now I have disabled telnet,
> except locally as I will use ssh to check my mail remotely.
>
> Any ideas how they may have got in, or what should I look for to get more
> info on this.
>
> TIA
>
>
> ------------------------------------------------------------------------
> "If you're not one of us, you are one of them" Morpheus
>
> Brian Schneider [EMAIL PROTECTED] www.liberty.ddns.org
> ________________________________________________________________________
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
