the .bash_history is root's, ifconfig is in /sbin but it doesnt do anything when i run it, it says file not found. when i tried to telnet to port 1010 it refused me ----- Original Message ----- From: "dax wood" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 10:37 PM Subject: Re: [sclug-general] security
> have you tried telnet 'ing to the open port for some indication of the > program running? > > and try /sbin/ifconfig > or locate ifconfig > > and who's .bash_history file are you talking about > ? > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > i just ran chkrootkit, it has found a possible LKM infection. port > > 1010 is > > open, nmap says it doesnt know what it is. i cant tell what rootkit > > was > > used. anyone have any ideas on how to stop this? i know the who file > > doesnt > > work, ifconfig doesnt work, .bash_history is linked to another file i > > cant > > find. any suggestions? > > ----- Original Message ----- > > From: "dax wood" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Thursday, December 12, 2002 10:22 PM > > Subject: Re: [sclug-general] security > > > > > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > > All, > > > > I have installed a redhat 7.2 box in a local school system. Its > > > > functions include: > > > > > > > > Servers: > > > > FTP > > > > HTTP > > > > SSH > > > > DHCP > > > > DNS > > > > Email > > > > > > > > I have discovered someone created a user account with the home > > dir of > > > > /var/.bash2 > > > > they granted themselves group member of a pricipal. i noticed > > three > > > > files in their home dir of what appears to be a root exploit > > called > > > > dr. dolittle. i have not heard of this exploit. anyhow, i > > disabled > > > > the account. > > > > i was curious as to how to prevent this from the future. i > > suspect it > > > > is a student causing this. i am wondering if i can disable the > > shell > > > > access to all except a select few. will this cause problems with > > > > email services, etc? > > > > will this prevent users from getting to a shell to run these > > > > exploits? > > > > any help would be greatly appreciated..... > > > > thanks > > > > daniel kuecker > > > > > > > > > > Best guess would be that some one guessed or manipulated a > > privlaged > > > account password. Look at logs for connections(if this was a real > > > hacker you will not find any thing) Red Hat has drwxr-xr-x on /var? > > so > > > proof of a root hack if that is the case. > > > as far as the shell goes you can allways play with the > > inittab > > > file! > > > > > > In any case you need to upgrade to 8.0 otherwise due to a lot of > > > httpd->apache and openssl security holes your like fish in a > > barrel. > > > > > > I was a kid once( :) _) and i can remember a certain > > area12 > > > hack on the schools main servers long ago...... in a mac unix far > > away > > > never at a school do you use pen or pencil as a password > > > > > > ------ted---- > > > > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > http://mailplus.yahoo.com > > > > > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com >
