Re: Root password changed

From: Chris Barford (C.Barfordat_private)
Date: Mon Jan 06 2003 - 13:31:01 PST

Next message: Chris Barford: "Re: /sumthin Revisited"

Previous message: Michael LaSalvia: "RE: Root password changed"
In reply to: RCS: "Root password changed"
Next in thread: sysadmin: "Re: Root password changed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

you mention apache running:
"openssl-too-open is a remote exploit for the KEY_ARG overflow in
OpenSSL 0.9.6d and older. It will give you a remote shell with the
priviledges of the server process (nobody when used against Apache,
root against other servers)."

works against apache servers, u dont specify specifically but it would be my 
guess that this could be the hole in your system.

However there are also BIND exploits out there, don't have a clue about them.

The way to check is see if your apache leaves port 443 open, and if so look at 
your version of openssl.

As for the logs and no suspicious processes;

The chances are a rootkit could have been installed to hide the hackers 
movements, or he came in, changed the pass and then left again after using a 
log cleaner. You can recover logs in various ways, google is always a good one 
or someone on this list can help more with that no doubt.

Check for odd dates or sizes on ps. A good place to go to see if you have 
been "rooted" is: www.chkrootkit.org.

My personal tip would be take your computer off the network asap and then do a 
thorough analysis with it isolated.



Quoting RCS <rcsat_private>:

> I have no idea how the root password on my FreeBSD 4.0 system was =
> changed, only I have access to it and I have only SMTP (sendmail =
> 8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else =
> is restricted by ACLs at the router.
> 
> I had to enter single user mode and change it today.
> 
> I have thoroughly checked running processes and the logs and there is =
> nothing suspicious.=20
> 
> Please give me your opinion on what could have caused this.=20
> 
> Thanks
> 
> --
> Roberto Cardona Jr.      =20
> 
> --
> Roberto Cardona Jr.       
> IT/IS Manager 
> Corporate Office Centers | http://www.corporateofficecenters.com
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chris Barford: "Re: /sumthin Revisited"
Previous message: Michael LaSalvia: "RE: Root password changed"
In reply to: RCS: "Root password changed"
Next in thread: sysadmin: "Re: Root password changed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 11:36:05 PST