RE: info

From: Joe T. (auximiniat_private)
Date: Fri May 03 2002 - 15:59:30 PDT

  • Next message: Jose Nazario: "Re: info"

    > Get an 'lsof' listing of processes and what programs are bound to
    > those ports/processes. See if any trojans have been installed on the
    > box.
    nothing out of the ordinary..
    > One other thing you might want to do is use the find command to find
    > any 'dot' directories.
    > % find . -type d -name ".*" -print 
    just the ones i have already found
    > I'd also see what versions of SSHD, etc were running to figure out
    > how the attacker might have broken in. Check SSH for the CRC/32
    > vulnerability. I would also see if he left telnetd running or any RPC
    > services. Also, might want to let your friend know not to keep
    > tripwire databases on the same machine. They should be put on a
    > protected floppy or cdrom.
    sshd, wu-ftp, telnet, and every other program that has had a major security bug in the
    past year (how long this box has been up) is installed. i doubt i can narrow down how the
    hacker got in unless he left a copy of whatever exploit he used on the system. so far i
    havent found one.
    im going to do another couple of sweeps through the box and see if i can pick up any more
    info. after that, im going to recommend reinstallation and a closer look at how he
    configures his system.
    Do You Yahoo!?
    Yahoo! Health - your guide to health and wellness
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon May 06 2002 - 11:53:21 PDT