Security Incidents mailing list archives
Re: Break-in attempt from 203.197.38.247
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Wed, 23 Aug 2000 13:09:08 -0400
On Tue, 22 Aug 2000 14:20:08 +0200, Cronje Schalk <schalkc () NTABA CO ZA> said:
What is really strange is a replacement of certain files ?--------- 14559 root 46449 4294967295 Mar 27 21:57 bashrc ?--------- 14559 root 46449 4294967295 Mar 27 21:57 info-dir ?--------- 14138 root 8567 4294967295 May 13 1999 named.boot ?--------- 14694 root 2584 4294967295 Jul 7 18:49 rpc ?--------- 14441 root 12171 4294967295 Aug 17 17:02 shells ?--------- 14099 root 8165 4294967295 Aug 21 15:28 termcap The dates are strange, but then so is most of the file info.
You may wish to re-try the 'ls' with a known good 'ls' binary retrieved off the installation CD or someplace. If THAT produces weird errors, you're looking at either a disk failure (note the ? for file types - that part of the inode is *not* changable via chmod() system calls) or a *really* talented hacker who's playing twiddle-the-bits with the raw filesystem blocks. On the other hand, it may just be a rootkitted /bin/ls that's trying to hide (poorly) the fact that some files were modified. If a known good /bin/ls gets it right, that's your explanation. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Break-in attempt from 203.197.38.247 Cronje Schalk (Aug 22)
- Re: Break-in attempt from 203.197.38.247 M ixter (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 23)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Valdis Kletnieks (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Jason Storm (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Nick Phillips (Aug 24)
- <Possible follow-ups>
- Re: Break-in attempt from 203.197.38.247 Fernando Cardoso (Aug 24)
- Re: Break-in attempt from 203.197.38.247 Richard Fein (Aug 25)
- Re: Break-in attempt from 203.197.38.247 Ian Eure (Aug 25)