Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Compromised...

From: bernz () ALPHA BERNZTECH ORG (David Bernick)
Date: Mon, 7 Feb 2000 19:49:02 -0500

could certainly be named. there was a recent vulnerability that several
hackers on my freenet (www.bernztech.org) comprimised and gained root
remotely. upgrading named will patch this.


This morning I tried to ssh to a domain I host on one of my boxes.  I soon
realized the domain wasn't resolving.  I then ssh'd to the ip of the box.
I discovered that named wasn't running.  I restarted it.  I was curious to
find out why it had died.  I started looking through the logs and I soon
realized my machine had been broken into. Several binaries had been
replaced.  (ps, ls, netstat, ...).  I replaced the ps and ls and found
some interesting things.  There was a process running called in,telnetd
(notice the comma).  I found this in "/usr/ /":

SNIP



Has anyone else experienced this?  How did they get in?  At this point I'm
pretty sure it was through named.  How should I go about cleaning it up?
Right now I think I'll just reinstall the RPM's off of the cd.  Will this
be enough (along with upgrading BIND)?  If anyone could share any useful
information please do so.

Thanks,
Steve Logan
Previous By Date Next
Previous By Thread Next

Current thread: