Re: CRIME Multiple breakins, but can't figure out how

From: Alan (alan@private)
Date: Wed Nov 19 2003 - 22:42:03 PST

  • Next message: A.J. Weinzettel: "Re: CRIME Multiple breakins, but can't figure out how"

    On Tue, 2003-11-18 at 12:19, A.J. Weinzettel wrote:
    > I have had multiple breakins somehow using different versions of RedHat
    > (7.1,7.3,&8.0).  This started last week on the 7.1 and 7.3 boxes.  I
    > have been keeping up on all the latest patches for Apache, Sendmail,
    > SSH, MySQL.  So, I noticed the breakins and noticed a directory called
    > /dev/rd/cdb.  In this directory there is a run.tgz and it is expanded in
    > to a directory.  This is the contents:
    
    Find a trusted version of find and look for a copy of .bash_history
    where it does not belong.  (Like /var.)
    
    Are you running iptables or ipchains? What is visible from outside.  A
    friend had a server broken into through MySQL.  (It was visible to the
    outside world.)
    
    Have you checked to see what is actually visible to the outside with
    nmap?
    
    Also, I do not understand why you went to Redhat 8.0 as opposed to
    Redhat 9 or Fedora 1.  The unicode implementation in 8.0 is uneven and
    incomplete.  (I am expecting more unicode exploits as unix moves to
    using it.)
    
    -- 
    "Society will bear responsibility for this, We put the men of religion
    above fault, and made them unaccountable. We gave them special privilege
    -- and this is the result." 
                                  - Hussein Nasser in The Arab News
    



    This archive was generated by hypermail 2b30 : Thu Nov 20 2003 - 00:26:58 PST