[ale] hacked

Ken Nagorski kenn at refriedgeek.com
Wed Jan 2 08:40:44 EST 2002


Hi there, 

Thanks for the advice. This was what I was looking for as well. I found no
sniffer no rootkit no nothing except the hacker seemed have tried to
backdoor ssh and failed.

What I was trying to know was it local or remote? 

At anyrate there is a new box with no local shell access, baind 9, courier (
instead of sendmail ) and proftpd... That is it!

We will see how things go....

Happy new year
Ken

> Ken,
> I had a box hacked by a sshd1 exploit recently.  I think you pretty
> much hit the nail on the head.  My attackers didn't cover their tracks
> too cleanly.  If it has been within the past several days, run find
> -mtime -x (x being the # of days you want to see what files changed.)
> and pipe it to a /tmp file.  You'll probably find a sniffer, binary
> changes, but I did not find a defacto 'rootkit' installed.
> 
> Hope this helps helps.  I did upgrade to openssh (the lastest version)
> on my other machines.  Be aware, there is also a Solaris version of the
> hack running around.
> 
> Steve
> 
> =======================================================
> | Steve Nicholas             |                        |
> | Software Systems Engineer  |  A risk is not a risk  |
> | Georgia State University   |  until it is taken.    | 
> | snicholas at gsu.edu          |                        |
> | 404-651-1062               |  BBROYGBVGW            |
> =======================================================
> 
> On Mon, 31 Dec 2001, Ken Nagorski wrote:
> 
>> Hi there,
>> 
>> Well I found a hacked box... It is a redhat 6.2 box.
>> 
>> I am looking for suggestions. Yes, I am going to reinstall, actually I
>> have  a new box but this what I wanna do... I wanna try to find out
>> why or what  they hacked. I am run some find commands but nothing to
>> interesting came  back.
>> 
>> It doesn't look like they wanted to hide themsleves to bad. They hosed
>> ssh  which is what tipped me off and the killed syslogd. 
>> 
>> I am guessing that it was a local user becuase I was running proftp
>> ssh (  no telnet ) and I upgraded bind when the security patch came
>> out. Uhg, I  know this email is a little disjointed however I am in a
>> sort of frantic  state...
>> 
>> OK - any suggestions? 
>> THanks
>> Ken
>> 
>> ----------------------------------------------
>> But I don't want to go among mad people,
>> Alice remarked.
>> Oh, you can't help that, said the Cat:
>> we're all mad here. I'm mad. You're mad.
>> How do you know I'm mad? said Alice.
>> You must be, said the Cat,
>> or you wouldn't have come here.
>> 
>> 
>> ---
>> This message has been sent through the ALE general discussion list.
>> See http://www.ale.org/mailing-lists.shtml for more info. Problems
>> should be  sent to listmaster at ale dot org.
>> 
>> 


----------------------------------------------
But I don't want to go among mad people,
Alice remarked.
Oh, you can't help that, said the Cat:
we're all mad here. I'm mad. You're mad.
How do you know I'm mad? said Alice.
You must be, said the Cat,
or you wouldn't have come here.


---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list