RE: Questions = Thanks

From: Ihsahn Diablo (traktopikaat_private)
Date: Wed Nov 21 2001 - 13:19:44 PST

Previous message: Steve: "RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer"
Next in thread: Pascal Nobus: "Re: Questions = Thanks"
Reply: Pascal Nobus: "Re: Questions = Thanks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>From: "Mark Piper" <markpat_private>
>Reply-To: <markpat_private>
>To: "'Ihsahn Diablo'" <traktopikaat_private>
>Subject: RE: Questions
>Date: Thu, 22 Nov 2001 09:32:42 +1300
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi Ihsahn,
>
>Adore is a popular rootkit for redhat 6.x servers, I cant remember
>the link to the information on it, but I will Hunt it out for you...
>
>As for DP, it appears to redirect ports form your local machine to a
>remote host.... I have dp.c someplace round here, I will hunt it out
>for you...
>
>Could you please show us the results of a netstat -a? It shouldnt be
>too hard to spot how the intruders got in.
>
>
>Hope this helps =)
>
>Mark Piper

   Thanks Mark, but i know what adore is (thanks to mike lewinski). My 
server have Redhat7.0, update it daily, every patch existent is applied. 
Soon i will upgrade him to Redhat 7.2
   I'll thanks everybody who answered at may mail, and my conclusion is : dp 
is "datapipe" :), i beleaved it is a remote exploit. The way they entered in 
my system is fairly simple: they cracked another server witch have rights on 
mine (hosts.allow rulez), this is my conclusion after 2 days and 2 nights 
with no sleep to find how they entered (and a lot of phones :) ).
  I repet, i beleaved dp is a remote exploit, so i was't fairly scared 
becaused i don't know about him.

   Chkrootkit was the first thing i'll did it. The second was'ed to check 
the other servers. Is strange, i'll found it (the rk) in one server and not 
on the others too.

  So i have one more thing to ask you: to give me some good links about what 
to do after a break or what to do if somebody is in the middle of an atack.




Thanks a lot for your help,


Best regards,



Goba

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rob Keown: "MSLV.exe"
Previous message: Steve: "RE: [ALERT] Remote File Execution By Web or Mail: Internet Explorer"
Next in thread: Pascal Nobus: "Re: Questions = Thanks"
Reply: Pascal Nobus: "Re: Questions = Thanks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 21 2001 - 15:04:52 PST