Security Incidents mailing list archives
Rooted by admrocks
From: thalakan () TECHNOLOGIST COM (Jason Spence)
Date: Wed, 12 Apr 2000 16:22:31 -0700
Hi all, One of my name servers was rooted by admrocks on Wednesday afternoon, at 12:51 PDT. The funny thing was that the attack came from another nameserver that had been broken into, and the incoming telnet session to take control of the machine was from yet another machine (not a nameserver) which I think was compromised, because nmap showed it was running Netbus. The attack involved catting a new user account into /etc/passwd, (username boom, password boom (<-- courtesy of Jack the Ripper)), and installing a new /bin/login which had the string "/usr/lib/login" in there. I'm pretty sure that /usr/lib/login wasn't there when we started. rpm -Va also shows that /bin/login has been modified, and I'm positive I haven't touched it since installation. We're running named non-root on Mandrake 7.0 with security set to paranoid during installation and all the useless packages removed now. Mandrake 7 apparently ships with bind 8.2.2 P5, and the copy of adm_bind I got from securityfocus doesn't seem to work on it anymore. - Jason
Current thread:
- Rooted by admrocks Jason Spence (Apr 12)