On Tue, 2003-11-18 at 12:19, A.J. Weinzettel wrote:
> I have had multiple breakins somehow using different versions of RedHat
> (7.1,7.3,&8.0). This started last week on the 7.1 and 7.3 boxes. I
> have been keeping up on all the latest patches for Apache, Sendmail,
> SSH, MySQL. So, I noticed the breakins and noticed a directory called
> /dev/rd/cdb. In this directory there is a run.tgz and it is expanded in
> to a directory. This is the contents:
Find a trusted version of find and look for a copy of .bash_history
where it does not belong. (Like /var.)
Are you running iptables or ipchains? What is visible from outside. A
friend had a server broken into through MySQL. (It was visible to the
outside world.)
Have you checked to see what is actually visible to the outside with
nmap?
Also, I do not understand why you went to Redhat 8.0 as opposed to
Redhat 9 or Fedora 1. The unicode implementation in 8.0 is uneven and
incomplete. (I am expecting more unicode exploits as unix moves to
using it.)
--
"Society will bear responsibility for this, We put the men of religion
above fault, and made them unaccountable. We gave them special privilege
-- and this is the result."
- Hussein Nasser in The Arab News
This archive was generated by hypermail 2b30 : Thu Nov 20 2003 - 00:26:58 PST