where can i find that info on this website? i noticed the files top and ps are modified and pointed to >/dev/null ----- Original Message ----- From: "Brion Hase" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, December 12, 2002 10:45 PM Subject: Re: [sclug-general] security
> The ifconfig file is a pretty basic target. Copy one over from another > system to the /root directory and try that. Check http://www.cert.org/ to > see which files the kit usually attacks. > > Brion. > > At 10:40 PM 12/12/02 -0600, you wrote: > >the .bash_history is root's, ifconfig is in /sbin but it doesnt do anything > >when i run it, it says file not found. when i tried to telnet to port 1010 > >it refused me > >----- Original Message ----- > >From: "dax wood" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Sent: Thursday, December 12, 2002 10:37 PM > >Subject: Re: [sclug-general] security > > > > > > > have you tried telnet 'ing to the open port for some indication of the > > > program running? > > > > > > and try /sbin/ifconfig > > > or locate ifconfig > > > > > > and who's .bash_history file are you talking about > > > ? > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > > i just ran chkrootkit, it has found a possible LKM infection. port > > > > 1010 is > > > > open, nmap says it doesnt know what it is. i cant tell what rootkit > > > > was > > > > used. anyone have any ideas on how to stop this? i know the who file > > > > doesnt > > > > work, ifconfig doesnt work, .bash_history is linked to another file i > > > > cant > > > > find. any suggestions? > > > > ----- Original Message ----- > > > > From: "dax wood" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Thursday, December 12, 2002 10:22 PM > > > > Subject: Re: [sclug-general] security > > > > > > > > > > > > > > > > > > --- Daniel Kuecker <[EMAIL PROTECTED]> wrote: > > > > > > All, > > > > > > I have installed a redhat 7.2 box in a local school system. Its > > > > > > functions include: > > > > > > > > > > > > Servers: > > > > > > FTP > > > > > > HTTP > > > > > > SSH > > > > > > DHCP > > > > > > DNS > > > > > > Email > > > > > > > > > > > > I have discovered someone created a user account with the home > > > > dir of > > > > > > /var/.bash2 > > > > > > they granted themselves group member of a pricipal. i noticed > > > > three > > > > > > files in their home dir of what appears to be a root exploit > > > > called > > > > > > dr. dolittle. i have not heard of this exploit. anyhow, i > > > > disabled > > > > > > the account. > > > > > > i was curious as to how to prevent this from the future. i > > > > suspect it > > > > > > is a student causing this. i am wondering if i can disable the > > > > shell > > > > > > access to all except a select few. will this cause problems with > > > > > > email services, etc? > > > > > > will this prevent users from getting to a shell to run these > > > > > > exploits? > > > > > > any help would be greatly appreciated..... > > > > > > thanks > > > > > > daniel kuecker > > > > > > > > > > > > > > > > Best guess would be that some one guessed or manipulated a > > > > privlaged > > > > > account password. Look at logs for connections(if this was a real > > > > > hacker you will not find any thing) Red Hat has drwxr-xr-x on /var? > > > > so > > > > > proof of a root hack if that is the case. > > > > > as far as the shell goes you can allways play with the > > > > inittab > > > > > file! > > > > > > > > > > In any case you need to upgrade to 8.0 otherwise due to a lot of > > > > > httpd->apache and openssl security holes your like fish in a > > > > barrel. > > > > > > > > > > I was a kid once( :) _) and i can remember a certain > > > > area12 > > > > > hack on the schools main servers long ago...... in a mac unix far > > > > away > > > > > never at a school do you use pen or pencil as a password > > > > > > > > > > ------ted---- > > > > > > > > > > > > > > > __________________________________________________ > > > > > Do you Yahoo!? > > > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > > > http://mailplus.yahoo.com > > > > > > > > > > > > > > > __________________________________________________ > > > Do you Yahoo!? > > > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > > > http://mailplus.yahoo.com > > > > >
