you mention apache running: "openssl-too-open is a remote exploit for the KEY_ARG overflow in OpenSSL 0.9.6d and older. It will give you a remote shell with the priviledges of the server process (nobody when used against Apache, root against other servers)." works against apache servers, u dont specify specifically but it would be my guess that this could be the hole in your system. However there are also BIND exploits out there, don't have a clue about them. The way to check is see if your apache leaves port 443 open, and if so look at your version of openssl. As for the logs and no suspicious processes; The chances are a rootkit could have been installed to hide the hackers movements, or he came in, changed the pass and then left again after using a log cleaner. You can recover logs in various ways, google is always a good one or someone on this list can help more with that no doubt. Check for odd dates or sizes on ps. A good place to go to see if you have been "rooted" is: www.chkrootkit.org. My personal tip would be take your computer off the network asap and then do a thorough analysis with it isolated. Quoting RCS <rcsat_private>: > I have no idea how the root password on my FreeBSD 4.0 system was = > changed, only I have access to it and I have only SMTP (sendmail = > 8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else = > is restricted by ACLs at the router. > > I had to enter single user mode and change it today. > > I have thoroughly checked running processes and the logs and there is = > nothing suspicious.=20 > > Please give me your opinion on what could have caused this.=20 > > Thanks > > -- > Roberto Cardona Jr. =20 > > -- > Roberto Cardona Jr. > IT/IS Manager > Corporate Office Centers | http://www.corporateofficecenters.com > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 11:36:05 PST