Re: Possible Intrusion?

From: Alvin Oga (alvin.secat_private-Consulting.com)
Date: Tue Jun 12 2001 - 17:26:16 PDT

Next message: Andrew van der Stock: "RE: How to stop a consistent cracker."

Previous message: Barbara: "RE: I am a Fool HOW-TO [was: grc attacks]"
In reply to: Kip Perkins: "Possible Intrusion?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

hi kip

you *were* rootkit'd or equivalent...

- backup all your data to a new clean disks....
	- /home, /etc, /var/log etc
	- do NOT destroy existing backups

- check the date on those files you found ...
  and see what else is there on/around that time

	# all files changed in the last 3 days
	find / -mtime -3  -ls

- am assuming that "find" is your original command
  and that it was not subsituted

- restore your binaries from cdrom...
	and apply all rh-6.2 patches...
	- turn off all your un-needed services/daemons

- removed all the "hacker/cracker" changes...

- see if you can catch the hacker/cracker...
	- if you dont want to play cat and mouse...
	- reformat your disks and apply all the lastest
	patches...etc...

- rh-6.2 is a sitting duck.... especially if you have
  not patched it..

c ya
alvin
http://www.Linux-Sec.net 

On Tue, 12 Jun 2001, Kip Perkins wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Good morning all. I was wonder if I could get some help on a possible
> intrusion analysis. Recently I discovered some interesting things on a RH
> Linux 6.2 box.
> 
> in /dev:
> /dev/.w
> /dev/.c
> /dev/.cmd
> 
> in /etc/inetd.conf:
> 6968 stream tcp nowait root /bin/sh sh -i
> 2121 stream tcp nowait root /usr/sbin/tcpd in/telnetd
> 
> in /etc/passwd:
> cmd:x:0:500::/dev/.cmd:/dev/null
> command:x:500:501::/dev/.c:/dev/null
> wizards:x:501:502::/dev/.w:/dev/null
> 
> This is all I can find that is wierd (translate- "I don't recognize").
> Dones anyone recognize these entries? Is this a possible rootkit?
> The /dev/ homes and cmd UID of 0 give me that impression.
> Any help would be greatly appreciated :-)
> 
> - - --
> Kip Perkins
> Systems Administrator
> NIC - TennesseeAnytime.org
> office 615.313.0312
> 
> Live as you want your children to
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD8DBQE7JkW0L1ei/5O2f1gRAqlYAJ9KgrX+CgH3W8j1TSpHyVOxoBLvaQCfe0oE
> sc3PMPQLxUZU0qFueODNqb0=
> =vqf9
> -----END PGP SIGNATURE-----
>

Next message: Andrew van der Stock: "RE: How to stop a consistent cracker."
Previous message: Barbara: "RE: I am a Fool HOW-TO [was: grc attacks]"
In reply to: Kip Perkins: "Possible Intrusion?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 22:42:21 PDT