Security Incidents mailing list archives
Re: Compromised...
From: bernz () ALPHA BERNZTECH ORG (David Bernick)
Date: Mon, 7 Feb 2000 19:49:02 -0500
could certainly be named. there was a recent vulnerability that several hackers on my freenet (www.bernztech.org) comprimised and gained root remotely. upgrading named will patch this.
This morning I tried to ssh to a domain I host on one of my boxes. I soon realized the domain wasn't resolving. I then ssh'd to the ip of the box. I discovered that named wasn't running. I restarted it. I was curious to find out why it had died. I started looking through the logs and I soon realized my machine had been broken into. Several binaries had been replaced. (ps, ls, netstat, ...). I replaced the ps and ls and found some interesting things. There was a process running called in,telnetd (notice the comma). I found this in "/usr/ /":
SNIP
Has anyone else experienced this? How did they get in? At this point I'm pretty sure it was through named. How should I go about cleaning it up? Right now I think I'll just reinstall the RPM's off of the cd. Will this be enough (along with upgrading BIND)? If anyone could share any useful information please do so. Thanks, Steve Logan
Current thread:
- Re: probe backs? was Re: [INCIDENTS] Korea, (continued)
- Re: probe backs? was Re: [INCIDENTS] Korea Matthew Pemble (Feb 01)
- Re: probe backs? was Re: [INCIDENTS] Korea Pavel Kankovsky (Feb 02)
- DoS Trojan on Solaris Roderick Padilla (Feb 02)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 02)
- Re: DoS Trojan on Solaris David Brumley (Feb 02)
- Interesting Probe Rick Magill (Feb 03)
- Re: DoS Trojan on Solaris Dave Dittrich (Feb 03)
- Re: DoS Trojan on Solaris Data_surge (Feb 04)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
- Compromised... Steve Logan (Feb 07)
- Re: Compromised... David Bernick (Feb 07)
- Re: Compromised... Japheth (Feb 07)
- Re: Compromised... Simon Britnell (Feb 08)
- Re: Compromised... technot (Feb 09)
- Re: Compromised... Sebastian (Feb 09)
- Prank phone calls related to recent break-ins? Nate Carlson (Feb 09)
- Re: probe backs? was Re: [INCIDENTS] Korea Matthew Pemble (Feb 01)
- Question about event log events JF Prieur (Feb 08)
- Re: Compromised... Jose Nazario (Feb 07)
- Re: Compromised... Jim Kinney (Feb 07)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)