Security Incidents mailing list archives
Re: RH6.1/IPChains box hacked
From: mtinberg () MADISON TEC WI US (Mark Tinberg)
Date: Mon, 24 Apr 2000 11:22:51 -0500
It looks like a copy of your RPM database. Possibly the cracker edited and rebuilt your RPM database to hide his/her tracks. Try running a 'rpm --verify --all' and comparing the output to 'rpm --verify /path/to/cdrom/RPMS/packagename.rpm' or 'rpm --verify ftp://ftp.redhat.com/path/to/RPMS/pachagename.rpm' (using a known, trusted copy of the RPM executable of course.) This will compare checksumms from the RPM database and then from the actual package files you have installed, they should match (you should be able to trust that your CDROM or ftp.redhat.com is OK.) If not then not only are your executables trojaned/backdoored/etc. but your RPM database is suspect as well. Probably a good idea to always verify off trusted media as opposed to trusting the RPM database hasn't been altered.
"J. J. Horner" <jhorner () KNOXLUG ORG> 04/21/00 16:22 PM >>>
FYI: I was hacked last week throught Bind 8.2.2_P3. If anyone can look at my logs and tell me some thoughts it would be good. The intruder erased all of the logs (/var/log/mesages*) on my box, but didn't notice or didn't check to see that all logging was duplicated to another machine (*.* @JJ1) in /etc/syslog.conf. Here is what I have at the time around the hack. I also have some files in my /var/lib/anaconda-rebuilddb955643425/ directory: [jhorner@gateway anaconda-rebuilddb955643425]$ ls -la total 204 drwxr-xr-x 2 root root 4096 Apr 13 16:30 . drwxr-xr-x 17 root root 4096 Apr 13 16:30 .. -rw-r--r-- 1 root root 0 Apr 13 16:30 conflictsindex.rpm -rw-r--r-- 1 root root 16384 Apr 13 16:31 groupindex.rpm -rw-r--r-- 1 root root 24576 Apr 13 16:31 nameindex.rpm -rw-r--r-- 1 root root 40960 Apr 3 16:31 providesindex.rpm -rw-r--r-- 1 root root 98304 Apr 13 16:31 requiredby.rpm -rw-r--r-- 1 root root 16384 Apr 13 16:31 triggerindex.rpm None of these are real RPMS, so I don't know what to do with them. Any ideas?
Current thread:
- Re: RH6.1/IPChains box hacked Mark Tinberg (Apr 24)
- Re: RH6.1/IPChains box hacked Rory Savage (Apr 24)
- Weird traceroutes Donald McLachlan (Apr 26)
- <Possible follow-ups>
- Re: RH6.1/IPChains box hacked J. J. Horner (Apr 24)