have you tried telnet 'ing to the open port for some indication of the program running?
and try /sbin/ifconfig or locate ifconfig and who's .bash_history file are you talking about ? --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > i just ran chkrootkit, it has found a possible LKM infection. port > 1010 is > open, nmap says it doesnt know what it is. i cant tell what rootkit > was > used. anyone have any ideas on how to stop this? i know the who file > doesnt > work, ifconfig doesnt work, .bash_history is linked to another file i > cant > find. any suggestions? > ----- Original Message ----- > From: "dax wood" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Thursday, December 12, 2002 10:22 PM > Subject: Re: [sclug-general] security > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > All, > > > I have installed a redhat 7.2 box in a local school system. Its > > > functions include: > > > > > > Servers: > > > FTP > > > HTTP > > > SSH > > > DHCP > > > DNS > > > Email > > > > > > I have discovered someone created a user account with the home > dir of > > > /var/.bash2 > > > they granted themselves group member of a pricipal. i noticed > three > > > files in their home dir of what appears to be a root exploit > called > > > dr. dolittle. i have not heard of this exploit. anyhow, i > disabled > > > the account. > > > i was curious as to how to prevent this from the future. i > suspect it > > > is a student causing this. i am wondering if i can disable the > shell > > > access to all except a select few. will this cause problems with > > > email services, etc? > > > will this prevent users from getting to a shell to run these > > > exploits? > > > any help would be greatly appreciated..... > > > thanks > > > daniel kuecker > > > > > > > Best guess would be that some one guessed or manipulated a > privlaged > > account password. Look at logs for connections(if this was a real > > hacker you will not find any thing) Red Hat has drwxr-xr-x on /var? > so > > proof of a root hack if that is the case. > > as far as the shell goes you can allways play with the > inittab > > file! > > > > In any case you need to upgrade to 8.0 otherwise due to a lot of > > httpd->apache and openssl security holes your like fish in a > barrel. > > > > I was a kid once( :) _) and i can remember a certain > area12 > > hack on the schools main servers long ago...... in a mac unix far > away > > never at a school do you use pen or pencil as a password > > > > ------ted---- > > > > > > __________________________________________________ > > Do you Yahoo!? > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > http://mailplus.yahoo.com > > > __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com
