----- Original Message ----- From: "Jim Mercer" <jimat_private> To: <nanogat_private> Sent: Thursday, August 23, 2001 10:39 AM Subject: resolved Re: should i publish a list of cracked machines? > > > ok, having seen numerous comments (and numerous requests for the file), i > have decided to punt the list to cert.org and let them deal with it. > > - as much as i'd like to, i don't have the time/energy to run through > the list and contact each netadmin. i've walked that trail before > while attempting to nip a few DoS attacks. > > - i will not send the list to anyone other than cert, unless suggestions > can be made for other "authorative" groups who will maybe pick up > the task of contacting the netadmins in the list > > my suspicions and some things to look for: > > - boxes were comprimised using the buffer overflow in telnetd (speculation) > - my box had a bogus /usr/sbin/nscd (which is not a normal FreeBSD binary) > - nscd appears to be a hacked sshd, listening on a 14000 series port > - it had its own /etc/ssh_* config files (FreeBSD puts them in /etc/ssh/ssh_*) > - there was a file in /dev/ptaz which appeared to be DES crypto gunge > - there were a bunch of irc/eggdrop related files in a ".e" directory of > one of the user's $HOME > > suggestions for looking about: > > - do an ls -lta in bindirs, my systems generally have all /bin /usr/bin files > with the same timestamp > > - do a "du /dev" and look for anomalies > - do a "cd /dev ; ls -l | grep -e-" and look for anomalies > - do a "ls -ltra /" (as well as /usr and /usr/local) and look for anomalies > > -- > [ Jim Mercer jimat_private +1 416 410-5633 ] > [ Now with more and longer words for your reading enjoyment. ] > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 10:52:22 PDT