Security Incidents mailing list archives

Re: Compromised...

From: friedl () MTNDEW COM (Stephen J. Friedl)
Date: Mon, 14 Feb 2000 14:17:08 -0800


At 12:30 PM 2/7/2000 -0600, you wrote:

There was a directory called ADMROCKS in /var/named.


I'm now in this select club also, and fortunately I caught it right away.
The bad guy had compromised "ls", "ps", "rm", "mv", "netstat", and a host
of others, and he was quite thorough.

While trying to get the system back up enough to assess, I found that I could
not replace certain binaries in /bin with fresh-from-CD versions: a few
limited files got "operation not permitted" when I tried to rename or remove
them.

I was running Red Hat Linux 5.2: it is conceivable that he could have installed
some kind of kernel module to have helped keep him around? I still have the
old drive freeze-dried and available.

Steve

Stephen J. Friedl / Software Consultant / Tustin, CA / 714-544-6561

Current thread:

Re: Compromised..., (continued)
- - - Re: Compromised... Jose Nazario (Feb 07)
    - Re: Compromised... Jim Kinney (Feb 07)
    - Re: Compromised... Jon Lewis (Feb 07)
    - Re: Compromised... Joshua Krage (Feb 08)
    - Re: Compromised... Rich Burroughs (Feb 09)
    - Re: Compromised... Lane Davis (Feb 07)
    - Re: Compromised... Marianovich Felix (Feb 08)
    - Re: Compromised... Sebastian (Feb 08)
    - 195.0.0.0/8 Scan Source amused () POBOX COM (Feb 10)
    - hacked Anton (Feb 14)
    - Re: Compromised... Stephen J. Friedl (Feb 14)
    - Re: Compromised... Derek Vadala (Feb 14)
    - Re: Compromised... Alexandru Popa (Feb 14)