Re: Root password changed

From: Adam Bultman (adambat_private)
Date: Mon Jan 06 2003 - 12:38:44 PST

Next message: Wolf, Glenn: "RE: /sumthin Revisited"

Previous message: dataspy: "Re: Subseven 2.2 Server?"
In reply to: RCS: "Root password changed"
Next in thread: Joe Kattner: "Re: Root password changed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sounds like someone used a vulnerability in a service you have open and 
got it running.  I don't know if you checked using the more advanced 
tools, but you might want to run the more powerful IDSes and programs that 
will be able to check files/binaries on a deeper level than doing an `ls 
-la' (as rootkits will install binaries that hide proceses, files, 
etc).

I'd also suggest you check other servers that have other services 
available.  They may have gotten onto another system and compromised that 
server via another service not available to the outside (but of course, 
I know nothing of your internal network).

My systems run tripwire, chkrootkit, and logsentry which gives me 
info on what is happening on my servers. I prefer verbose logging, rather 
than my predecessor's 'Hear no evil, see no evil' policy of sending 
everything to /dev/null.   

Id start comparing filesizes between that and another similar system to 
see if you have been trojaned or cracked, or if you have been for some 
time. 

Either way, I'd prep another server to replace that one, as I personally 
will not trust a server that has been trojaned or compromised in that 
fashion.  

-- 
adambat_private
[ www.glaven.org ]

On Fri, 3 Jan 2003, RCS wrote:

> I have no idea how the root password on my FreeBSD 4.0 system was =
> changed, only I have access to it and I have only SMTP (sendmail =
> 8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else =
> is restricted by ACLs at the router.
> 
> I had to enter single user mode and change it today.
> 
> I have thoroughly checked running processes and the logs and there is =
> nothing suspicious.=20
> 
> Please give me your opinion on what could have caused this.=20
> 
> Thanks
> 
> --
> Roberto Cardona Jr.      =20
> 
> --
> Roberto Cardona Jr.       
> IT/IS Manager 
> Corporate Office Centers | http://www.corporateofficecenters.com
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Wolf, Glenn: "RE: /sumthin Revisited"
Previous message: dataspy: "Re: Subseven 2.2 Server?"
In reply to: RCS: "Root password changed"
Next in thread: Joe Kattner: "Re: Root password changed"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 12:20:36 PST