--- Daniel Kuecker <[EMAIL PROTECTED]> wrote:
> All,
> I have installed a redhat 7.2 box in a local school system. Its
> functions include:
>
> Servers:
> FTP
> HTTP
> SSH
> DHCP
> DNS
> Email
>
> I have discovered someone created a user account with the home dir of
> /var/.bash2
> they granted themselves group member of a pricipal. i noticed three
> files in their home dir of what appears to be a root exploit called
> dr. dolittle. i have not heard of this exploit. anyhow, i disabled
> the account.
> i was curious as to how to prevent this from the future. i suspect it
> is a student causing this. i am wondering if i can disable the shell
> access to all except a select few. will this cause problems with
> email services, etc?
> will this prevent users from getting to a shell to run these
> exploits?
> any help would be greatly appreciated.....
> thanks
> daniel kuecker
>
Best guess would be that some one guessed or manipulated a privlaged
account password. Look at logs for connections(if this was a real
hacker you will not find any thing) Red Hat has drwxr-xr-x on /var? so
proof of a root hack if that is the case.
as far as the shell goes you can allways play with the inittab
file!
In any case you need to upgrade to 8.0 otherwise due to a lot of
httpd->apache and openssl security holes your like fish in a barrel.
I was a kid once( :) _) and i can remember a certain area12
hack on the schools main servers long ago...... in a mac unix far away
never at a school do you use pen or pencil as a password
------ted----
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
