Just curious, was this server behind a firewall? If so, what kind and what ports were open? manuel ----- Original Message Follows ----- > > I'm looking at a possible unauthorized access to one > of our servers running Fedora Core 1 with all the current > updates. The infected (modified) files are: > > "/usr/sbin/nstat" > "/usr/sbin/rtacct" > "/usr/sbin/rtstat" > "/usr/sbin/ss" > > "/usr/lib/libcups.so.2" > "/usr/lib/libcupsimage.so.2" > "/usr/lib/libijs.so" > "/usr/lib/libpng12.so.0.1.2.2" > > "/sbin/ip" > "/sbin/tc" > "/sbin/rtmon" > > ...and just about all of the user binaries that come > with netpbm-progs-9.24-12.1.1 > > I first noticed changes in those files yesterday and > reverted them back to originals, and re-ran tripwire to > check, and update the database. They're changed again > today. > The system has already been taken care off in terms of > nuking it off the net. My question is, how they got in? > chrootkit didn't detect anything, at least not in it's > set of checks, which leads me to believe that either > they're not aware of this particular break-in, or it's > something else. > Does anyone have any insight on this? > > -- > W | I haven't lost my mind; it's backed up on tape > somewhere. > > +--------------------------------------------------------- > ----------- > Ashley M. Kirchner <mailto:ashley@xxxxxxxxxx> . > 303.442.6410 x130 > IT Director / SysAdmin / WebSmith . > 800.441.3873 x130 > Photo Craft Laboratories, Inc. . 3550 > Arapahoe Ave. #6 > http://www.pcraft.com ..... . . . Boulder, CO > 80303, U.S.A. > > > > -- > redhat-list mailing list > unsubscribe > mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
