RE: ckcool?

From: Bob Maccione (Bob_Maccioneat_private)
Date: Wed Feb 20 2002 - 14:51:14 PST

Previous message: Jamie Lawrence: "Solaris hack"
Maybe in reply to: Bob Maccione: "ckcool?"
Next in thread: James: "Fw: ckcool?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It appears that the he had opened the FTP and Telnet ports on the Linksys
and I noticed a line in the /var/log/messages indicating that root was
aquired via ftp.  (i don't have the disk here right now but am going to
mount it up on a box at home to look at the filesystem).

Luckly it wasn't a professional job since there was a home dir called ckcool
and the .so's that were changed were in there.  There was also a passwd-,
etc in /etc.

I'm going to take the disk back home and will attempt to summarize the
findings.

thanks all,
bobm



> -----Original Message-----
> From:	James <jlottsat_private>@INTERNET@HHC 
> Sent:	Wednesday, February 20, 2002 4:34 PM
> To:	Bob Maccione
> Cc:	incidentsat_private
> Subject:	Fw: ckcool?
> 
>  <<...>> 
> There are not any vulnerabilities that I know of.  He probably had that
> server set as a 'DMZ server', which in Linksys terms, means that it is
> completely open to the Internet.  Were I to hazzard a guess, it was
> probably
> changed from the inside.  Do you know if he had the default password set,
> or
> remote administration enabled?
> 
> James
> >
> > -----Original Message-----
> > From: Bob Maccione [mailto:Bob_Maccioneat_private]
> > Sent: Tuesday, February 19, 2002 8:45 AM
> > To: 'incidentsat_private'
> > Subject: ckcool?
> >
> >
> > I have a friend that got hacked running linux.  Luckly it's an inmature
> > enough hack that the mess left behind told me what happened.  In this
> case
> a
> > user was created called 'ckcool' and then a rootkit was thrown down.
> I'm
> > going to get the disk from him to see what all was done but one thing
> > puzzled me.  It seems that the password on the Linksys firewall/router
> was
> > also changed.
> >
> > Has anyone seen/heard of any vulnerabilities in the Linksys Cable/DSL
> > router/firewalls?
> >
> > thanks
> > bob
> >
> >
> >
> --------------------------------------------------------------------------
> --
> > This list is provided by the SecurityFocus ARIS analyzer service. For
> more
> > information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> 
> 
> 
> 


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: James: "Fw: ckcool?"
Previous message: Jamie Lawrence: "Solaris hack"
Maybe in reply to: Bob Maccione: "ckcool?"
Next in thread: James: "Fw: ckcool?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 16:22:32 PST