[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-sun
Subject: Re: Followup - Thanks - "Re: ?hack cause? "
From: tps () unslept ! com
Date: 2002-03-30 22:31:29
[Download RAW message or body]
On Tue, Mar 26, 2002 at 01:41:47PM -0800, Andy Gabor wrote:
Content-Description: message body text
>
> Hi,
>
> Many, many thanks far all the responses - truely great help.
>
> This followup is in no particular order:
>
> 1. Snagged/ran "chkrootkit" -> nothing found!
>
> 2. Turns out that /usr/bin/.login *is* the original /usr/bin/login.
>
> -r-sr-xr-x 1 root bin 29200 Dec 13 11:47 /usr/bin/login*
> -rwxr-xr-x 1 root sys 6428 Mar 25 10:02 /usr/bin/login.hack*
> -r-sr-xr-x 1 root sys 29200 Mar 25 10:02 /usr/bin/.login.hack*
Run strings on the file, and see if it looks normal. Also, check /dev for
files that are not dev files or sym links.
> 3. New /usr/bin/login is bad file (md5).
> How did they manage to put that in /usr/bin/? Couldn't find sniffer.
Were you running ssh? This sounds like one of the rootkits that were
dropped in place from some sites via ssh v1 hacks.
> 4. md5 checksums are tested each day in selected directories.
>
> 5. Confirmed all security patches in place.
>
> 6. No errant inetd or /tmp/bob files
>
> 7. Some folk asked for open services - netstat-a output ("junk") attached.
> Yep! I should kill telnet!
> 8. tcp_wrappers is running.
Check your hosts.allow and hosts.deny, please. Also, verify that the
tcpd binary is a good one.
Tim
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>> Tim Sailer (at home) >< Coastal Internet,Inc. <<
>> Network and Systems Operations >< PO Box 671 <<
>> http://www.buoy.com >< Ridge, NY 11961 <<
>> tps@unslept.com/tps@buoy.com >< (631)924-3728 (888) 924-3728 <<
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic