More info:
They just telneted in from 194.212.26.32, They did add the lines to
inetd.conf ( I removed them). Should be an up to date 6.2 system as for
BIND etc.
Found the script they were running in the cron job and removed it. I was
at the machine at the time when it hit, so it did not go on for long.
Will look into further security measures.
Thanks for the info
On
Wed, 4 Oct 2000, Rick Warner wrote:
>
>
> There are many ways they may have broken into your system. Old versions
> of BIND, sshd with RSAREF2, wu-ftpd with the SITE EXEC problem, and on and
> on it goes. You will need to do a thorough security review of the system.
>
> But, the main message is shutting off telnet has probably NOT stopped them
> at all. Most of the DDoS attack tools have master/slave capabilities and
> the master often gives them a back door. If the master is still there,
> they are still getting in most likely. Also look to see if they modified
> inetd.conf ; one of the simple backdoors that is often installed is to add
> a line to inetd.conf that will fire off sh -i or bash -i when a certain
> port is hit. Another backdoor is to replace inetd with a version that has
> a built-in backdoor. You really should take the machine off-line, do
> comparisons of binaries against the installed packages, clean up the
> machine, and harden it before putting it back on-line. www.cert.org has a
> section on how to recover from compromises.
>
> - rick warner
>
> On Wed, 4 Oct 2000, Brian Schneider wrote:
>
> > I was hacked last night I was suddenly getting a huge load on my
> > system. Looking at "top", I found a file td running with many
> > instances. In searching, I found the file in /dev/chr/client. I found
> > where the user x and noc were used and then deleted.
> >
> > How can I find where the logins came from. For now I have disabled telnet,
> > except locally as I will use ssh to check my mail remotely.
> >
> > Any ideas how they may have got in, or what should I look for to get more
> > info on this.
> >
> > TIA
> >
> >
> > ------------------------------------------------------------------------
> > "If you're not one of us, you are one of them" Morpheus
> >
> > Brian Schneider [EMAIL PROTECTED] www.liberty.ddns.org
> > ________________________________________________________________________
> >
> >
> >
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> > https://listman.redhat.com/mailman/listinfo/redhat-list
> >
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
------------------------------------------------------------------------
"If you're not one of us, you are one of them" Morpheus
Brian Schneider [EMAIL PROTECTED] www.liberty.ddns.org
________________________________________________________________________
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
