I'm looking at a possible unauthorized access to one of our servers running Fedora Core 1 with all the current updates. The infected (modified) files are:
"/usr/sbin/nstat" "/usr/sbin/rtacct" "/usr/sbin/rtstat" "/usr/sbin/ss"
"/usr/lib/libcups.so.2" "/usr/lib/libcupsimage.so.2" "/usr/lib/libijs.so" "/usr/lib/libpng12.so.0.1.2.2"
"/sbin/ip" "/sbin/tc" "/sbin/rtmon"
...and just about all of the user binaries that come with netpbm-progs-9.24-12.1.1
I first noticed changes in those files yesterday and reverted them back to originals, and re-ran tripwire to check, and update the database. They're changed again today.
The system has already been taken care off in terms of nuking it off the net. My question is, how they got in? chrootkit didn't detect anything, at least not in it's set of checks, which leads me to believe that either they're not aware of this particular break-in, or it's something else.
Does anyone have any insight on this?
-- W | I haven't lost my mind; it's backed up on tape somewhere. +-------------------------------------------------------------------- Ashley M. Kirchner <mailto:ashley@xxxxxxxxxx> . 303.442.6410 x130 IT Director / SysAdmin / WebSmith . 800.441.3873 x130 Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave. #6 http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A.
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
