Security Incidents mailing list archives
Re: Guess this is a hack attemp
From: Alvin Oga <alvin.sec () Maggie Linux-Consulting com>
Date: Sun, 22 Jul 2001 17:39:46 -0700 (PDT)
hi ya gareth run the rootkit detectors... and see if it finds anything... - audit your box... ( tons of free auditing tools ) http://www.linux-sec.net Audit & tracking/forensics sections ( search for rootkit ... easier ?? ) if they were successful...you'd see many symptoms: - alterred log files - alterred binaries - alterred config files - extra directories - extra files - extra processes running that you cannot explain - slow response than before - bounced emails to root/postmaster - blah...blah... all of those are easy to identify before its becomes a problem with a good IDS... but a properly hardened box will be even better... - they were "Testing" your rpc stuff... for old bugs... if you do NOT mount this server from other boxes... turn nfs off along with hundreds of other unused services/daemons == since you have to ask ... how can you telll... - the simple answer is install tripwire or aide or other ids and it will tell you they got in... ( which is TOOO late ) - trick: only install tripwire/aide/ids on a VIRGIN&Patched box... dont bother wasting time after its been online/[h/cr]hacked have fun alvin On Sun, 22 Jul 2001, Gareth Hastings wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jul 17 07:47:45 somebox rpc.statd[609]: gethostbyname error for ^X?y?^X?y?^Z?y?^Z?y?%8x%8x%8 x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\22 0\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\22 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ 220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\ 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 0\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\22 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ 220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\ 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 0\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\22 0\220\220 How do I know if the attempt succeded or not ? This entry is repeated about 50 times. I checked the obvious things like hosts.allow/deny being changed. I checked for suid root files and entries in the inetd.conf file. Is there anything else I should look for ?
k ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- ANOTHER possible Windows problem? David Bernick (Jul 21)
- Re: ANOTHER possible Windows problem? Kris Carlier (Jul 22)
- RE: ANOTHER possible Windows problem? Sander de Rijk (Jul 22)
- Guess this is a hack attemp Gareth Hastings (Jul 22)
- RE: Guess this is a hack attemp Chip McClure (Jul 22)
- Re: Guess this is a hack attemp Alvin Oga (Jul 22)
- <Possible follow-ups>
- RE: ANOTHER possible Windows problem? Powers, James L. (Jul 22)