Not silly sounding to me. I thought that's basically
what tripwire did (I actually have no idea, though
I'm sure going to find out!)
I think, based on timestamps of files, the jacka^H^H^H^H
person used an exploit in the ftp server and deposited
the hacked inetd.conf file. Unfortunately, I have no
idea what else they changed, though going by timestamps,
there wasn't anything else. (a reinstall is sounding
inevitable)
What's curious is, I did a search of the whole file system
for the date when inetd.conf changed, and found I had
just installed and run "saint" looking for security
holes around the same time. Hmmmmm..... coincidence?
(btw - Saint didn't (and doesn't - I just ran it again) find
the open port)
I'm _hoping_ they put the new inetd.conf file there then
hoped to log in to port 9704, but couldn't because
I have a linksys router that doesn't forward that port.
That's my current theory :)
Mark
>
> Message: 14
> Date: Tue, 12 Sep 2000 09:54:30 -0500
> To: [EMAIL PROTECTED]
> From: [EMAIL PROTECTED] (Jonathan Wilson)
> Subject: Re: highly suspicious line in inetd.conf
> Reply-To: [EMAIL PROTECTED]
>
> I was just thinking. I know there's trip wire and stuff. but
> it would be
> neat to have cron run a script, that did md5sum "checks" on
> various things,
> and mailed you, if the sum changed on anything that's in it's
> list. Anyone
> have anything like that? I know practicly nothing about
> scripting, but how
> hard would that be to write? Seems like it would go
> something like this:
>
> For every file in /etc/this_script's.conf, do "$file
> /path/to/md5sum" >
> /var/log/today's_copy. and diff /var/log/today's_copy against
> /var/log/yesterday's_copy, if today's_copy !=
> yesterday's_copy, mail root
>
> OTH maybe I'm just silly ;-)
>
> JW
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
