Security Incidents mailing list archives
Re: Root password changed
From: Chris Barford <C.Barford () student umist ac uk>
Date: Mon, 6 Jan 2003 21:31:01 +0000
you mention apache running: "openssl-too-open is a remote exploit for the KEY_ARG overflow in OpenSSL 0.9.6d and older. It will give you a remote shell with the priviledges of the server process (nobody when used against Apache, root against other servers)." works against apache servers, u dont specify specifically but it would be my guess that this could be the hole in your system. However there are also BIND exploits out there, don't have a clue about them. The way to check is see if your apache leaves port 443 open, and if so look at your version of openssl. As for the logs and no suspicious processes; The chances are a rootkit could have been installed to hide the hackers movements, or he came in, changed the pass and then left again after using a log cleaner. You can recover logs in various ways, google is always a good one or someone on this list can help more with that no doubt. Check for odd dates or sizes on ps. A good place to go to see if you have been "rooted" is: www.chkrootkit.org. My personal tip would be take your computer off the network asap and then do a thorough analysis with it isolated. Quoting RCS <rcs () flashwave com>:
I have no idea how the root password on my FreeBSD 4.0 system was = changed, only I have access to it and I have only SMTP (sendmail = 8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else = is restricted by ACLs at the router. I had to enter single user mode and change it today. I have thoroughly checked running processes and the logs and there is = nothing suspicious.=20 Please give me your opinion on what could have caused this.=20 Thanks -- Roberto Cardona Jr. =20 -- Roberto Cardona Jr. IT/IS Manager Corporate Office Centers | http://www.corporateofficecenters.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Root password changed RCS (Jan 06)
- Re: Root password changed james (Jan 07)
- RE: Root password changed Michael LaSalvia (Jan 07)
- Re: Root password changed Chris Barford (Jan 07)
- Re: Root password changed sysadmin (Jan 07)
- Re: Root password changed Adam Bultman (Jan 07)
- Re: Root password changed Joe Kattner (Jan 07)
- Re: Root password changed Lisa Casey (Jan 07)