Security Incidents mailing list archives
Bind8 exploit and a deleted partition map
From: "Matteo,Marc A." <mmatteo () FUSIONSTORM COM>
Date: Mon, 12 Feb 2001 16:12:10 -0800
Hi all, I was asked to look at a Red Hat box that had been owned, presumably via Bind 8.2.2. Limited forensics had already been done -- /etc/inetd.conf and /etc/services had been messed with to add a shell at port 54321 and it looked like the /etc/ssh_random_seed file had been messed with as well (tho that's hard to prove). Here's the fun thing. The box was shutdown and when it was rebooted there was no partition map on the main hard drive. Needless to say, I didn't even get to see the box (damn). So my question is, what're the odds that the hard drive was hosed by a booby trap rather than really bad luck. If it was a parting gift from an attacker, what are the methods used to leave that sort of thing as a trap on shutdown/reboot (so it can be avoided in the future)? Marc -- Marc Matteo Security Engineer http://www.fusionstorm.com Cell: 916.718.2036 PGP: 9C8F 13F6 3234 2491 B425 9538 7858 61A4 8FA4 0A8B
Current thread:
- Bind8 exploit and a deleted partition map Matteo,Marc A. (Feb 13)
- Re: Bind8 exploit and a deleted partition map Luciano Miguel Ferreira Rocha (Feb 13)
- Re: Bind8 exploit and a deleted partition map Jose Nazario (Feb 13)
- Re: Bind8 exploit and a deleted partition map Derek Kwan (Feb 13)
- Re: Bind8 exploit and a deleted partition map Crist Clark (Feb 13)
- Re: Bind8 exploit and a deleted partition map Jeremy L. Gaddis (Feb 14)
- Re: Bind8 exploit and a deleted partition map Valdis Kletnieks (Feb 14)
- Re: Bind8 exploit and a deleted partition map Eric Brandwine (Feb 14)
- Priorities (was: Bind8 exploit and a deleted partition map) Dustin Mitchell (Feb 15)
- Re: Priorities (was: Bind8 exploit and a deleted partition map) Crist Clark (Feb 15)
- Re: Bind8 exploit and a deleted partition map Crist Clark (Feb 13)
- Re: Bind8 exploit and a deleted partition map Luciano Miguel Ferreira Rocha (Feb 13)
- <Possible follow-ups>
- Re: Bind8 exploit and a deleted partition map Justin Shore (Feb 14)