Just an FYI: Early this morning (0220 local time, Monday) we had a couple of SUN machines compromised via dtspcd. The exploit started a second copy of inetd with a configuration file /tmp/x which bound a root shell on 1524 (ingresslock). Later in the morning (0800) one of the machines started a synflood attack on another machine on our network. This combined with the fact that the attack originated from a local ISP strongly suggests this is the work of some of our students, sigh... No root kit was installed and no other back doors found, we are reinstalling anyway, of course... The snort rules in the experimental rules file picked up the attack. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 21 2002 - 07:39:01 PST