Sounds like the wu-ftpd and rpc.statd vulnerability
to me.
Take a look in
ftp://ftp.redhat.com/pub/redhat/linux/updates/6.2/en/os/i386
or a mirror for the updates you should have installed.
Phil
---------------------------------------------
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK
> -----Original Message-----
> From: MegaNet Domainreg. [mailto:[EMAIL PROTECTED]]
> Sent: 30 April 2001 14:28
> To: [EMAIL PROTECTED]
> Subject: hacked
>
>
> I just got 2 redhat 6.2 machines broken into. Anyone seen
> this root kit and
> know what the exploit was.
> Creates user/group tcp and runs an irc robot (psybnc) among
> other things.
> Thanks Paul.
>
> Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
> Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
> Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
> Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
> Apr 29 04:02:00 noctech2 syslogd 1.3-3: restart.
> Apr 29 04:22:00 noctech2 anacron[7419]: Updated timestamp for job
> `cron.weekly' to 2001-04-29
> Apr 29 06:27:09 noctech2 ftpd[12382]: FTP LOGIN REFUSED (ftp in
> /etc/ftpusers) FROM pD9538A73.dip.t-dialin.net
> [217.83.138.115], anonymous
> Apr 29 06:27:10 noctech2 ftpd[12382]: FTP session closed
> Apr 29 07:36:55 noctech2 inetd[500]: pid 12400: exit status 1
> Apr 29 07:39:30 noctech2 PAM_pwdb[12403]: (login) session
> opened for user
> tcp by (uid=0)
> Apr 29 07:42:29 noctech2 PAM_pwdb[12428]: (su) session opened
> for user uid
> by tcp(uid=506)
> Apr 29 07:44:15 noctech2 kernel: Kernel logging (proc) stopped.
> Apr 29 07:44:15 noctech2 kernel: Kernel log daemon terminating.
> Apr 29 07:44:17 noctech2 syslog: klogd shutdown succeeded
> Apr 29 07:44:17 noctech2 exiting on signal 15
> Apr 29 07:44:17 noctech2 syslogd 1.3-3: restart.
> Apr 29 07:44:17 noctech2 syslog: syslogd startup succeeded
> Apr 29 07:44:17 noctech2 kernel: klogd 1.3-3, log source = /proc/kmsg
> started.
> Apr 29 07:44:17 noctech2 kernel: Inspecting
> /boot/System.map-2.2.14-5.0
> Apr 29 07:44:17 noctech2 syslog: klogd startup succeeded
> Apr 29 07:44:18 noctech2 kernel: Loaded 7337 symbols from
> /boot/System.map-2.2.14-5.0.
> Apr 29 07:44:18 noctech2 kernel: Symbols match kernel version 2.2.14.
> Apr 29 07:44:18 noctech2 kernel: Loaded 87 symbols from 3 modules.
> Apr 29 07:44:17 noctech2 syslog: syslogd shutdown succeeded
> Apr 29 08:05:49 noctech2 PAM_pwdb[12428]: (su) session closed
> for user uid
> Apr 29 09:11:38 noctech2 rpc.statd[374]: gethostbyname error for
> ^X���^X���^Y���^Y���^Z���^Z���^[���^[���bffff750 8049710
> 8052c18687465676274736f6d616e797265206520726f7220726f66
> bffff718
> bffff719 bffff71a
> bffff71b������������������������������������������������������
> ��������������
> ��������������������������������������������������������������
> ��������������
> ��������������������������������������������������������������
> ��������������
> �������������������!
> ������������������������������������������
> Apr 29 19:27:51 noctech2 ftpd[17765]: FTP LOGIN REFUSED (ftp in
> /etc/ftpusers) FROM bzq-228-99.bezeqint.net [212.179.228.99],
> anonymous
> Apr 29 19:27:52 noctech2 ftpd[17765]: FTP session closed
> Apr 30 04:02:00 noctech2 anacron[17900]: Updated timestamp for job
> `cron.daily' to 2001-04-30
> Apr 30 09:02:16 noctech2 PAM_pwdb[656]: (login) session
> opened for user root
> by LOGIN(uid=0)
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
