On 2009-08-10, Alan McKinnon <[email protected]> wrote:
> On Monday 10 August 2009 05:36:00 Grant Edwards wrote:
>> On 2009-08-08, pk <[email protected]> wrote:
>> > Grant Edwards wrote:
>> >> That's what I thought back when I was using dialup on a Linux
>> >> box that didn't have any servers running. Then one day I got
>> >> root-kitted.
>> >
>> > This may be off-topic but I'm curious about the details. Can you please
>> > elaborate?
>>
>> Well, it was probably about 9 years ago, but here's the way I
>> remember it:
>>
>> It started when I noticed the modem's RX/TX lights were
>> flashing when there was no reason for them to be doing so (I
>> was in the habit of keeping an eye on them to make sure the
>> connection was working OK). When I did a netstat, it showed
>> active network connections that shouldn't have been there, but
>> ps didn't show the processes that netstat said had connections
>> open. The "ps" binary had been replaced with a hacked version.
>> IIRC, so had the "lsof" binary because it didn't show the
>> processes that had the connections open either.
>>
>> I was running an RPM-based installation at the time (RH 6 or 7
>> I believe), and and an rpm "verify" command failed for a
>> handful of system related binaries (among them ps and lsof):
>> they weren't the same files that rpm had installed.
>
> There was a Red Hat *.0 release of that era that shipped with
> every possible service installed and running, accepting
> connections from anywhere. IIRC, average time to be rooted was
> measured in minutes...
Unless RH had somehow hidden the servers, I'm pretty sure I
wasn't running any except for ssh and ntp. I always did manual
installs where I went through and reviewed all of the packages
being installed.
> Red Hat were quite clear at the time that the release was not
> actually for real use, more for testing. I think the switch to
> glibc-2 was the underlying reason. Anyway, lots of folks got
> bitten because they installed and used it anyway.
>
> Perhaps you got caught up in that?
It could be there were services running that I didn't know
about. If so, they would have had to have been installed on the
sly by Anaconda without having a checkmark next to them. They
also would have had to start up without any notification on the
boot-up screen.
--
Grant Edwards grante Yow! Is this sexual
at intercourse yet?? Is it,
visi.com huh, is it??
