Security Incidents mailing list archives
RH6 boxes cracked
From: "D. Scott Barninger" <barninger () CVN NET>
Date: Wed, 3 Jan 2001 06:22:46 -0500
Hello, I am still trying to determine all that has been done but here is what I know at the moment. If anyone has seen similar attacks please let me know what to look for. For starters there appears to be a trojanized su binary installed. When calling su there is a delay of approximately 6-8 seconds after entering the root password before a shell prompt is returned. A log message indicates that "call_pam_xauth" successfully forked a child (returned 1). At that point a check on the /dev directory shows most everything has altered user/group and/or permissions. The tty from which the su command was issued is now owned by my user rather than root as well as /dev/hdb. /dev/tty* is now writeable by group etc. Reinstalling the dev and sh-utils packages corrects things until the next time su is run. The same is true on 2 other boxes from which I typically rlogin over the internal network (primary box is a MASQ gateway). About 2 days prior to discovering this I got port-scanned and logged rejected packets on a netbios port (I did have netbios service exposed for remote connections). Any insights would be greatly appreciated. Scott
Current thread:
- RH6 boxes cracked D. Scott Barninger (Jan 03)
- Re: RH6 boxes cracked Osvaldo J. Filho (Jan 03)
- <Possible follow-ups>
- Re: RH6 boxes cracked Tansey, Don (Jan 03)