It appears that the he had opened the FTP and Telnet ports on the Linksys and I noticed a line in the /var/log/messages indicating that root was aquired via ftp. (i don't have the disk here right now but am going to mount it up on a box at home to look at the filesystem). Luckly it wasn't a professional job since there was a home dir called ckcool and the .so's that were changed were in there. There was also a passwd-, etc in /etc. I'm going to take the disk back home and will attempt to summarize the findings. thanks all, bobm > -----Original Message----- > From: James <jlottsat_private>@INTERNET@HHC > Sent: Wednesday, February 20, 2002 4:34 PM > To: Bob Maccione > Cc: incidentsat_private > Subject: Fw: ckcool? > > <<...>> > There are not any vulnerabilities that I know of. He probably had that > server set as a 'DMZ server', which in Linksys terms, means that it is > completely open to the Internet. Were I to hazzard a guess, it was > probably > changed from the inside. Do you know if he had the default password set, > or > remote administration enabled? > > James > > > > -----Original Message----- > > From: Bob Maccione [mailto:Bob_Maccioneat_private] > > Sent: Tuesday, February 19, 2002 8:45 AM > > To: 'incidentsat_private' > > Subject: ckcool? > > > > > > I have a friend that got hacked running linux. Luckly it's an inmature > > enough hack that the mess left behind told me what happened. In this > case > a > > user was created called 'ckcool' and then a rootkit was thrown down. > I'm > > going to get the disk from him to see what all was done but one thing > > puzzled me. It seems that the password on the Linksys firewall/router > was > > also changed. > > > > Has anyone seen/heard of any vulnerabilities in the Linksys Cable/DSL > > router/firewalls? > > > > thanks > > bob > > > > > > > -------------------------------------------------------------------------- > -- > > This list is provided by the SecurityFocus ARIS analyzer service. For > more > > information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Feb 22 2002 - 16:22:32 PST