the link thing.
go to root.(this will slow stuff down but it will work)
and type
ls -aRl * | grep "/root/.bash_history"
and
follow the stuff
--- Daniel Kuecker <[EMAIL PROTECTED]> wrote:
> the .bash_history is root's, ifconfig is in /sbin but it doesnt do
> anything
> when i run it, it says file not found. when i tried to telnet to port
> 1010
> it refused me
> ----- Original Message -----
> From: "dax wood" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, December 12, 2002 10:37 PM
> Subject: Re: [sclug-general] security
>
>
> > have you tried telnet 'ing to the open port for some indication of
> the
> > program running?
> >
> > and try /sbin/ifconfig
> > or locate ifconfig
> >
> > and who's .bash_history file are you talking about
> > ?
> >
> > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote:
> > > i just ran chkrootkit, it has found a possible LKM infection.
> port
> > > 1010 is
> > > open, nmap says it doesnt know what it is. i cant tell what
> rootkit
> > > was
> > > used. anyone have any ideas on how to stop this? i know the who
> file
> > > doesnt
> > > work, ifconfig doesnt work, .bash_history is linked to another
> file i
> > > cant
> > > find. any suggestions?
> > > ----- Original Message -----
> > > From: "dax wood" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Thursday, December 12, 2002 10:22 PM
> > > Subject: Re: [sclug-general] security
> > >
> > >
> > > >
> > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote:
> > > > > All,
> > > > > I have installed a redhat 7.2 box in a local school system.
> Its
> > > > > functions include:
> > > > >
> > > > > Servers:
> > > > > FTP
> > > > > HTTP
> > > > > SSH
> > > > > DHCP
> > > > > DNS
> > > > > Email
> > > > >
> > > > > I have discovered someone created a user account with the
> home
> > > dir of
> > > > > /var/.bash2
> > > > > they granted themselves group member of a pricipal. i noticed
> > > three
> > > > > files in their home dir of what appears to be a root exploit
> > > called
> > > > > dr. dolittle. i have not heard of this exploit. anyhow, i
> > > disabled
> > > > > the account.
> > > > > i was curious as to how to prevent this from the future. i
> > > suspect it
> > > > > is a student causing this. i am wondering if i can disable
> the
> > > shell
> > > > > access to all except a select few. will this cause problems
> with
> > > > > email services, etc?
> > > > > will this prevent users from getting to a shell to run these
> > > > > exploits?
> > > > > any help would be greatly appreciated.....
> > > > > thanks
> > > > > daniel kuecker
> > > > >
> > > >
> > > > Best guess would be that some one guessed or manipulated a
> > > privlaged
> > > > account password. Look at logs for connections(if this was a
> real
> > > > hacker you will not find any thing) Red Hat has drwxr-xr-x on
> /var?
> > > so
> > > > proof of a root hack if that is the case.
> > > > as far as the shell goes you can allways play with the
> > > inittab
> > > > file!
> > > >
> > > > In any case you need to upgrade to 8.0 otherwise due to a lot
> of
> > > > httpd->apache and openssl security holes your like fish in a
> > > barrel.
> > > >
> > > > I was a kid once( :) _) and i can remember a certain
> > > area12
> > > > hack on the schools main servers long ago...... in a mac unix
> far
> > > away
> > > > never at a school do you use pen or pencil as a
> password
> > > >
> > > > ------ted----
> > > >
> > > >
> > > > __________________________________________________
> > > > Do you Yahoo!?
> > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > > > http://mailplus.yahoo.com
> > > >
> > >
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
> > http://mailplus.yahoo.com
> >
>
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
