Sounds like someone used a vulnerability in a service you have open and got it running. I don't know if you checked using the more advanced tools, but you might want to run the more powerful IDSes and programs that will be able to check files/binaries on a deeper level than doing an `ls -la' (as rootkits will install binaries that hide proceses, files, etc). I'd also suggest you check other servers that have other services available. They may have gotten onto another system and compromised that server via another service not available to the outside (but of course, I know nothing of your internal network). My systems run tripwire, chkrootkit, and logsentry which gives me info on what is happening on my servers. I prefer verbose logging, rather than my predecessor's 'Hear no evil, see no evil' policy of sending everything to /dev/null. Id start comparing filesizes between that and another similar system to see if you have been trojaned or cracked, or if you have been for some time. Either way, I'd prep another server to replace that one, as I personally will not trust a server that has been trojaned or compromised in that fashion. -- adambat_private [ www.glaven.org ] On Fri, 3 Jan 2003, RCS wrote: > I have no idea how the root password on my FreeBSD 4.0 system was = > changed, only I have access to it and I have only SMTP (sendmail = > 8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else = > is restricted by ACLs at the router. > > I had to enter single user mode and change it today. > > I have thoroughly checked running processes and the logs and there is = > nothing suspicious.=20 > > Please give me your opinion on what could have caused this.=20 > > Thanks > > -- > Roberto Cardona Jr. =20 > > -- > Roberto Cardona Jr. > IT/IS Manager > Corporate Office Centers | http://www.corporateofficecenters.com > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 07 2003 - 12:20:36 PST