>>>>> "Joshua" == Joshua Newman <[EMAIL PROTECTED]> writes:
Joshua> It's up there (http://nitace.bsd.uchicago.edu:8080/share).
Joshua> It has /etc, /lib/security/.config. some of the /proc that
Joshua> was messed with, corrupt and clean versions of ps, find,
Joshua> df, and du (ps.old/ps.new old=corrupt, new=fresh rpm's)
If you look at the public key in
/lib/security/.config/ssh/ssh_host_key.pub it shows root@NoraD. A
google search for that phrase turns up the adore rootkit, which they
say has been used with particular effectiveness on RHL7 machines and
has a ssh daemon running on port 15000 which is activated by the
sendmail command.
There is a mindbogglingly comprehensive analysis of an attack using
this rootkit on http://www.sans.org/y2k/the_compromise.htm. From my
read of this page, it appears the attackers got root by alternating
requests on LPR port (515) AND TCP 3879. Is my read of this page
right, and how could this work?
The author of this page suspects an LPRng vulnerability. cert has
issued a couple of LPRng vulnerabilities that can give root, but none
of them appear recent enough to affect RHL7.2 (RHL7.1 issued an LPRng
rpm update but there is nothing for 7.2). That said, that does not
mean there is not a new or existing vulnerability not covered by
previous patches. Or perhaps your cracker used something else
entirely.
In any case, if this is the way people exploit the machines, you
(josh) probably got whacked because your firewall was down.
JDH
_______________________________________________
Bits mailing list
[EMAIL PROTECTED]
http://www.sugoi.org/mailman/listinfo/bits
