Security Incidents mailing list archives
dtspcd compromises
From: Russell Fulton <R.FULTON () auckland ac nz>
Date: 21 Jan 2002 20:26:34 +1300
Just an FYI: Early this morning (0220 local time, Monday) we had a couple of SUN machines compromised via dtspcd. The exploit started a second copy of inetd with a configuration file /tmp/x which bound a root shell on 1524 (ingresslock). Later in the morning (0800) one of the machines started a synflood attack on another machine on our network. This combined with the fact that the attack originated from a local ISP strongly suggests this is the work of some of our students, sigh... No root kit was installed and no other back doors found, we are reinstalling anyway, of course... The snort rules in the experimental rules file picked up the attack. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- dtspcd compromises Russell Fulton (Jan 21)
- <Possible follow-ups>
- RE: dtspcd compromises Russell Fulton (Jan 22)