Security Incidents mailing list archives
RedHat compromise
From: Jim Roland <jroland () ROLAND NET>
Date: Mon, 19 Feb 2001 15:43:47 -0600
I have a customer who had one RH61 system compromised. Symptoms: Unable to telnet to the box nor acquire a POP3 connection (drops connection) from outside. You can telnet to the box from the locally attached subnet w/o problem. Known files modified: /etc/inetd.conf: Line added "smbd2 stream tcp nowait root /usr/sbin/in.smb in.smb" /etc/services: Line added "smbd2 54321/tcp # Samba" crontab table for root: executes /usr/sbin/init every 5 minutes (the init program resides on /sbin/init and was untouched) No Samba/SMB services were installed on this system by me and it's NAMED server (bind) was current as per RedHat. From the remote network, I am able to telnet to port 54321 and get a telnet prompt on the box. Further investigation shows that all TCP connections are denied. No IP addresses are reflected in /var/log/messages nor /var/log/secure, and I am unable to determine from where the attack came, but date/time stamp on the files shows it occured on Feb 19, at 05:05 localtime. How can I find where it came from? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Jim Roland, RHCE (RedHat Certified Engineer) Owner, Roland Internet Services "Never settle with words what you can settle with a flamethrower" -- Anonymous ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Current thread:
- RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
(Thread continues...)