On Sun, 2 Jan 2000, Michael Hatchard wrote:
> Someone has hacked into our system.
> I'm not quite sure how he is getting in.
He's almost certainly using the "RSA buffer overrun" exploit in ssh.
Try replacing ssh with OpenSSH from
ftp://ftp.redhat.de/pub/rh-addons/security/
> pico
I've never seen anyone with a lot of Unix experience use pico as his
primary editor. It's probably a script kiddie without much of a clue.
> pico /etc/inetd.conf
> killall -9 inetd
You'll want to check your inetd.conf. He might have added a "feature" like
"telnet to port xyz to get a rootshell without needing a password", either
by calling /bin/sh directly or by calling the uid thing he put on your
system.
> File uid.c contains
> #include <unistd.h>
> main ()
> {
> setguid(0)
> setuid(0)
> excel("/bin/sh","/bin/sh",NULL);
> }
A wrapper to /bin/sh
> There are also new config files for ssh in /etc
Completely remove ssh and all its config files, and install the OpenSSH
RPMs.
LLaP
bero
--
Nobody will ever need more than 640 kB RAM.
-- Bill Gates, 1983
Windows 98 requires 16 MB RAM.
-- Bill Gates, 1999
Nobody will ever need Windows 98.
-- logical conclusion
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
