On May 13, 2004 10:55 am, Ashley M. Kirchner wrote: > I'm looking at a possible unauthorized access to one of our servers > running Fedora Core 1 with all the current updates. The infected > (modified) files are: > > "/usr/sbin/nstat" > "/usr/sbin/rtacct" > "/usr/sbin/rtstat" > "/usr/sbin/ss" > > "/usr/lib/libcups.so.2" > "/usr/lib/libcupsimage.so.2" > "/usr/lib/libijs.so" > "/usr/lib/libpng12.so.0.1.2.2" > > "/sbin/ip" > "/sbin/tc" > "/sbin/rtmon" > > ...and just about all of the user binaries that come with > netpbm-progs-9.24-12.1.1 > > I first noticed changes in those files yesterday and reverted them > back to originals, and re-ran tripwire to check, and update the > database. They're changed again today. > > The system has already been taken care off in terms of nuking it off > the net. My question is, how they got in? chrootkit didn't detect > anything, at least not in it's set of checks, which leads me to believe > that either they're not aware of this particular break-in, or it's > something else. > > Does anyone have any insight on this? > > -- > W | I haven't lost my mind; it's backed up on tape somewhere. > +-------------------------------------------------------------------- > Ashley M. Kirchner <mailto:ashley@xxxxxxxxxx> . 303.442.6410 x130 > IT Director / SysAdmin / WebSmith . 800.441.3873 x130 > Photo Craft Laboratories, Inc. . 3550 Arapahoe Ave. #6 > http://www.pcraft.com ..... . . . Boulder, CO 80303, U.S.A. Hi, We had a solaris box hacked the other day. The machine is off-line but has not been looked at. So far it looks like there was a sendmail vulnerability that came out around the 8th (from what I could find) and we got hacked on the 9th (at least that is when a "eee" and a "r00t" accont showed up. Does your box have sendmail listening to the outside? -- Pete Nesbitt, rhce -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
