Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RedHat compromise

From: Jim Roland <jroland () ROLAND NET>
Date: Mon, 19 Feb 2001 15:43:47 -0600
I have a customer who had one RH61 system compromised.

Symptoms:
Unable to telnet to the box nor acquire a POP3 connection (drops connection) from outside.  You can telnet to the box 
from the locally attached subnet w/o problem.
Known files modified:
    /etc/inetd.conf:  Line added "smbd2    stream    tcp    nowait    root    /usr/sbin/in.smb    in.smb"
    /etc/services:    Line added "smbd2    54321/tcp    # Samba"
    crontab table for root:  executes /usr/sbin/init every 5 minutes (the init program resides on /sbin/init and was 
untouched)

No Samba/SMB services were installed on this system by me and it's NAMED server (bind) was current as per RedHat.  From 
the remote network, I am able to telnet to port 54321 and get a telnet prompt on the box.  Further investigation shows 
that all TCP connections are denied.

No IP addresses are reflected in /var/log/messages nor /var/log/secure, and I am unable to determine from where the 
attack came, but date/time stamp on the files shows it occured on Feb 19, at 05:05 localtime.  How can I find where it 
came from?






~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jim Roland, RHCE (RedHat Certified Engineer)
Owner, Roland Internet Services
    "Never settle with words what you can settle with a flamethrower"
          -- Anonymous
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Previous By Date Next
Previous By Thread Next

Current thread: