Security Incidents mailing list archives

Re: Root password changed

From: Chris Barford <C.Barford () student umist ac uk>
Date: Mon, 6 Jan 2003 21:31:01 +0000

you mention apache running:
"openssl-too-open is a remote exploit for the KEY_ARG overflow in
OpenSSL 0.9.6d and older. It will give you a remote shell with the
priviledges of the server process (nobody when used against Apache,
root against other servers)."

works against apache servers, u dont specify specifically but it would be my 
guess that this could be the hole in your system.

However there are also BIND exploits out there, don't have a clue about them.

The way to check is see if your apache leaves port 443 open, and if so look at 
your version of openssl.

As for the logs and no suspicious processes;

The chances are a rootkit could have been installed to hide the hackers 
movements, or he came in, changed the pass and then left again after using a 
log cleaner. You can recover logs in various ways, google is always a good one 
or someone on this list can help more with that no doubt.

Check for odd dates or sizes on ps. A good place to go to see if you have 
been "rooted" is: www.chkrootkit.org.

My personal tip would be take your computer off the network asap and then do a 
thorough analysis with it isolated.



Quoting RCS <rcs () flashwave com>:

I have no idea how the root password on my FreeBSD 4.0 system was =
changed, only I have access to it and I have only SMTP (sendmail =
8.12.1), POP3 (qpopper), apache 1.3.26 and BIND 8.2.3 . Everything else =
is restricted by ACLs at the router.

I had to enter single user mode and change it today.

I have thoroughly checked running processes and the logs and there is =
nothing suspicious.=20

Please give me your opinion on what could have caused this.=20

Thanks

--
Roberto Cardona Jr.      =20

--
Roberto Cardona Jr.       
IT/IS Manager 
Corporate Office Centers | http://www.corporateofficecenters.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Root password changed RCS (Jan 06)
- Re: Root password changed james (Jan 07)
- RE: Root password changed Michael LaSalvia (Jan 07)
- Re: Root password changed Chris Barford (Jan 07)
- Re: Root password changed sysadmin (Jan 07)
- Re: Root password changed Adam Bultman (Jan 07)
- Re: Root password changed Joe Kattner (Jan 07)
- Re: Root password changed Lisa Casey (Jan 07)