Re: Can anyone explain this compromise?

[Osvaldo Janeri Filho <osvaldojaneri () UOL COM BR>]

        Check your system against your backups (you backup frequently,
DON'T YOU?!), and try the chkrootkit tool. Check for suspicious files and
dirs, and the vital files of the system. I recommend a full new
installation of the system if you find anything strange, or even you
don't find, these emails are sufficient for paranoid people. Try some
sniffer to check if you have any unauthorized traffic for you machine, and
even do a portscan on your machine for some open doors that can be
backdoors. If the system is RPM based, test the login, su, ps and others
with the original packets. E.g. :

at root prompt type
[root@osvaldo /root]# rpm -qf /bin/login
util-linux-2.10f-7
(Show the rpm package that contains login)
and then verify it

[root@osvaldo /root]# rpm --verify util-linux-2.10f-7
[root@osvaldo /root]#

(It will show if any files are modified from the original rpm)

Osvaldo J. Filho
Internet Security Specialist
osvaldojaneri () uol com br

On Thu, 10 Aug 2000, Sir Scriptzalot wrote:

> Hi all,
>
> We have been receiving messages like below from sites
> around the world warning us that "ourhost.dom.com.au" has
> been compromised. Here is one of the messages:
>
> > Your shells have been hacked by a group called
> > > BlackHand. They hack shells and then they root and
> > do
> > > illegal things like run illegal backgrounds in
> > servers
> > > smurf scan etc. Here is some proof:
> > SNK- is snk () ourhost dom com au * Do whois if you
> > are a gay
> > SNK- using *.au [0:0:0:0:0:ffff:203.37.45.3] TI IRC
> > Server
> > SNK- End of WHOIS list.
>
> Other messages are exactly the same but in adition include
> stuff like "you have been r00ted and trojan login, ps, su
> binaries inserted"
>
> Any ideas?
>
> Thanks,
> Max
>
> Max Steel
> Omega-Xpress
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com