i just ran chkrootkit, it has found a possible LKM infection. port 1010 is open, nmap says it doesnt know what it is. i cant tell what rootkit was used. anyone have any ideas on how to stop this? i know the who file doesnt work, ifconfig doesnt work, .bash_history is linked to another file i cant find. any suggestions? ----- Original Message ----- From: "dax wood" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 10:22 PM Subject: Re: [sclug-general] security
> > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > All, > > I have installed a redhat 7.2 box in a local school system. Its > > functions include: > > > > Servers: > > FTP > > HTTP > > SSH > > DHCP > > DNS > > Email > > > > I have discovered someone created a user account with the home dir of > > /var/.bash2 > > they granted themselves group member of a pricipal. i noticed three > > files in their home dir of what appears to be a root exploit called > > dr. dolittle. i have not heard of this exploit. anyhow, i disabled > > the account. > > i was curious as to how to prevent this from the future. i suspect it > > is a student causing this. i am wondering if i can disable the shell > > access to all except a select few. will this cause problems with > > email services, etc? > > will this prevent users from getting to a shell to run these > > exploits? > > any help would be greatly appreciated..... > > thanks > > daniel kuecker > > > > Best guess would be that some one guessed or manipulated a privlaged > account password. Look at logs for connections(if this was a real > hacker you will not find any thing) Red Hat has drwxr-xr-x on /var? so > proof of a root hack if that is the case. > as far as the shell goes you can allways play with the inittab > file! > > In any case you need to upgrade to 8.0 otherwise due to a lot of > httpd->apache and openssl security holes your like fish in a barrel. > > I was a kid once( :) _) and i can remember a certain area12 > hack on the schools main servers long ago...... in a mac unix far away > never at a school do you use pen or pencil as a password > > ------ted---- > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com >
