Security Incidents mailing list archives

Bind8 exploit and a deleted partition map

From: "Matteo,Marc A." <mmatteo () FUSIONSTORM COM>
Date: Mon, 12 Feb 2001 16:12:10 -0800

Hi all,

I was asked to look at a Red Hat box that had been owned, presumably via
Bind 8.2.2.

Limited forensics had already been done -- /etc/inetd.conf and
/etc/services had been messed with to add a shell at port 54321 and it
looked like the /etc/ssh_random_seed file had been messed with as well
(tho that's hard to prove).

Here's the fun thing.  The box was shutdown and when it was rebooted
there was no partition map on the main hard drive.  Needless to say, I
didn't even get to see the box (damn).

So my question is, what're the odds that the hard drive was hosed by a
booby trap rather than really bad luck.  If it was a parting gift from
an attacker, what are the methods used to leave that sort of thing as a
trap on shutdown/reboot (so it can be avoided in the future)?

Marc
--
Marc Matteo
Security Engineer
http://www.fusionstorm.com
Cell: 916.718.2036
PGP:  9C8F 13F6 3234 2491 B425  9538 7858 61A4 8FA4 0A8B

Current thread:

Bind8 exploit and a deleted partition map Matteo,Marc A. (Feb 13)
- Re: Bind8 exploit and a deleted partition map Luciano Miguel Ferreira Rocha (Feb 13)
  - Re: Bind8 exploit and a deleted partition map Jose Nazario (Feb 13)
- Re: Bind8 exploit and a deleted partition map Derek Kwan (Feb 13)
  - Re: Bind8 exploit and a deleted partition map Crist Clark (Feb 13)
    - Re: Bind8 exploit and a deleted partition map Jeremy L. Gaddis (Feb 14)
    - Re: Bind8 exploit and a deleted partition map Valdis Kletnieks (Feb 14)
    - Re: Bind8 exploit and a deleted partition map Eric Brandwine (Feb 14)
    - Priorities (was: Bind8 exploit and a deleted partition map) Dustin Mitchell (Feb 15)
    - Re: Priorities (was: Bind8 exploit and a deleted partition map) Crist Clark (Feb 15)
- <Possible follow-ups>
- Re: Bind8 exploit and a deleted partition map Justin Shore (Feb 14)