On Thu, 4 Dec 2003, Ira Abramov wrote: > Quoting guy keren, from the post of Thu, 04 Dec: > > > > due to a security bug found in rsync, when running in daemon mode, i > > temporarily disabled the 'rsyncd' service (which runs 'rsync --daemon') on > > IGLU's server. > > > > Ilya - i couldn't see where are the soruces that rsync was compiled from. > > however, it looks like the rsync binary was replaced on 21-november - any > > idea who replaced it and why? > > > > as far as i understand, this bug was announced after that date. > > my personal server was running rsync as a daemon, and was cracked and a > root kit was installed on November 25th. I just finished reinstalling > the system with Kernel 2.4.23. > > triple check the server, especially with suspiciously new files in /bin, > /sbin and such. > > ls -lt /bin|head or whatnot.
no new files there. not even if checking with 'ls -lct'. i also scanned other directories prevoiusly (/etc, /usr/bin and probably a few others) and found nothing. by the way, never trust the output of 'ls' unless you use the '-c' flag, since the 'last modification' time of files may be changed backwards using 'touch' (for example), while the time of last modification of their attributes (e.g. 'last modification' time, permissions, etc) can not be cahnged, unles one tampers with the kernel itself. -- guy "For world domination - press 1, or dial 0, and please hold, for the creator." -- nob o. dy
