Upon further investigation of the compromise, I did discover another
nifty little thing:
This person, be it a root kit or an actual individual that did it, added
a password to our user "mail" account.
I'm guessing that in the event of a patch being applied to the server
where all trojans were removed, the user "mail" could login.
This was found in the /etc/shadow file.
The user "mail" should not have a password as far as I'm aware.
Regards.
On Sun, 2001-12-09 at 07:36, Armando B. Ortiz wrote:
> The attacks apparently took down two of our servers in a 4-server
> webfarm. They apparently leave the typical root kits and
> compromised/trojaned binaries.
>
> Unfortunately, I can't recover the other boxes and have to rebuild
> them. The intruder left compromised files relating to the operation of
> SSH as well as a trojaned SSH daemon.
>
> =:(
--
-----------------------------------------------------------------
From the Linux Box of Armando Ortiz
System Administrator
OnLineTraffic.com
Email: aortizat_private
Download my public key from:
ftp://209.185.214.98/pub/pubkeys/aortizat_private
or retrieve it from
http://www.keyserver.net as aortizat_private
(Public Key expires 01/04/2002)
All emails from me are signed by this public key.
-----------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 13:30:51 PST