On Thu, Nov 09, 2000 at 08:23:14AM -0500, Fred Edmister wrote:
: This morning I awoke to my Linux server not responding, and when I went to
: the system itself, there were a bunch of PAM *** info lines on the screen
: for a username I had never seen... I couldn't log in, and had to just power
: down and do a manual fsck when it came back up... (bear with me, there is a
: question here) Once the system came back up (after changing all the
: passwords of course... ) there was a new user "shlomi" added to the
: system, and in the home directory was a program directory, and the tar
: file... (bnc2.6.2 bnc2.6.2.tar.gz) My questions are 1). What is
: this BNC, and should I worry about what this guy may have done to my system
: (everything seems to work fine, but I don't know if he did something
: "behind the scenes") 2). How did this guy get in, and what can I do to
: avoid these things from happening in the future (I noticed on the screen
: when I got to the system one of the PAM's was him being su'd.. NOT
: good) And Lastly, where is the log that holds the telnet info so I can
: check and see EXACTLY what this guy did... Thank you all in advance for
: you help! It is greatly appreciated!
Congratulations Fred, you've been hacked. :-(
Pull the machine off of the network immediately and do your research to
find out how the intruder gained access. This "bnc" thing sure sounds like
a rootkit. Bad news for you. You can't trust system binaries any more.
I'd do an rpm -Va, verify your packages, reinstall ones that have been
altered, then start looking for what they did.
DO NOT simply reinstall some RPMs, and fix a hole they used and put it
back on the network. Back up your data files, and format the drive(s).
Really.
As for how to prevent this from happening in the future, you'll have to
stay on top of security advisories and apply patches when they are
released. I'd bet you got rooted through the wu-ftpd exploit or maybe
the somewhat older BIND exploit. Those are popular with the script
kiddies. Also, don't run any services you don't need, more invitation to
trouble.
--
Jason Costomiris <>< | Technologist, geek, human.
jcostom {at} jasons {dot} org | http://www.jasons.org/
Quidquid latine dictum sit, altum viditur.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
