Security Incidents mailing list archives
RH6.1/IPChains box hacked
From: jhorner () KNOXLUG ORG (J. J. Horner)
Date: Thu, 20 Apr 2000 14:38:41 -0400
FYI: I was hacked last week throught Bind 8.2.2_P3. If anyone can look at my logs and tell me some thoughts it would be good. The intruder erased all of the logs (/var/log/mesages*) on my box, but didn't notice or didn't check to see that all logging was duplicated to another machine (*.* @JJ1) in /etc/syslog.conf. Here is what I have at the time around the hack. I also have some files in my /var/lib/anaconda-rebuilddb955643425/ directory: [jhorner@gateway anaconda-rebuilddb955643425]$ ls -la total 204 drwxr-xr-x 2 root root 4096 Apr 13 16:30 . drwxr-xr-x 17 root root 4096 Apr 13 16:30 .. -rw-r--r-- 1 root root 0 Apr 13 16:30 conflictsindex.rpm -rw-r--r-- 1 root root 16384 Apr 13 16:31 groupindex.rpm -rw-r--r-- 1 root root 24576 Apr 13 16:31 nameindex.rpm -rw-r--r-- 1 root root 40960 Apr 13 16:31 providesindex.rpm -rw-r--r-- 1 root root 98304 Apr 13 16:31 requiredby.rpm -rw-r--r-- 1 root root 16384 Apr 13 16:31 triggerindex.rpm None of these are real RPMS, so I don't know what to do with them. Any ideas? -- J. J. Horner Apache, Perl, Unix, Linux jhorner () knoxlug org http://www.knoxlug.org/ <HR NOSHADE> <UL> <LI>TEXT/PLAIN attachment: stored </UL> <HR NOSHADE> <UL> <LI>TEXT/PLAIN attachment: stored </UL>
Current thread:
- Rapid Web page harvesting, probably by marketing firm, (continued)
- Rapid Web page harvesting, probably by marketing firm Brett Glass (Apr 18)
- Frontpage Exploits Keith McCammon (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Elliot L. Tobin (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Dragos Ruiu (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Ryan Russell (Apr 18)
- Re: CGI scans from Strauss.udel.edu -- They're back Bryan Seitz (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
- Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
- Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
- RH6.1/IPChains box hacked J. J. Horner (Apr 20)
- Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
- Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
- Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
- Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
- !!!Linux ELF infector!!! dEStr0YEr (Apr 21)