On Fri, Dec 20, 2002 at 02:11:31PM -0700, Gordon Chamberlin wrote: > I found suspicious looking files on a Redhat 7.1 Linux server earlier > today. Can anyone confirm or deny that the machine has been hacked? Yes, you've been cracked, but it's hard to say what toolkit was used since I've never heard of any that's using binaries such as afb, sn or sc. Can you provide these files to us (put it on WWW or sth like that) ? > namp reports the following ports open: > Port State Service > 5/tcp open rje [...] > 8009/tcp open ajp13 > Anyone know about this hack, what afb does and/or how they usually get > in? It's important to determine what services you've been providing before attack. From nmap's output we can say that vulnerabilities (for example) in sunrpc or your ssh server or DNS server were used to get in. -- [ ] gminick (at) underground.org.pl http://gminick.linuxsecurity.pl/ [ ] [ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 24 2002 - 01:28:09 PST