Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Intrusion reported on NANOG

From: "Mike Lewinski" <mike () rockynet com>
Date: Thu, 23 Aug 2001 11:09:29 -0600
----- Original Message -----
From: "Jim Mercer" <jim () reptiles org>
To: <nanog () merit edu>
Sent: Thursday, August 23, 2001 10:39 AM
Subject: resolved Re: should i publish a list of cracked machines?





ok, having seen numerous comments (and numerous requests for the file), i
have decided to punt the list to cert.org and let them deal with it.

- as much as i'd like to, i don't have the time/energy to run through
   the list and contact each netadmin.  i've walked that trail before
   while attempting to nip a few DoS attacks.

- i will not send the list to anyone other than cert, unless suggestions
   can be made for other "authorative" groups who will maybe pick up
   the task of contacting the netadmins in the list

my suspicions and some things to look for:

- boxes were comprimised using the buffer overflow in telnetd

(speculation)

- my box had a bogus /usr/sbin/nscd (which is not a normal FreeBSD binary)
- nscd appears to be a hacked sshd, listening on a 14000 series port
- it had its own /etc/ssh_* config files (FreeBSD puts them in

/etc/ssh/ssh_*)

- there was a file in /dev/ptaz which appeared to be DES crypto gunge
- there were a bunch of irc/eggdrop related files in a ".e" directory of
    one of the user's $HOME

suggestions for looking about:

- do an ls -lta in bindirs, my systems generally have all /bin /usr/bin

files

    with the same timestamp

- do a "du /dev" and look for anomalies
- do a "cd /dev ; ls -l | grep -e-" and look for anomalies
- do a "ls -ltra /" (as well as /usr and /usr/local) and look for

anomalies


--
[ Jim Mercer        jim () reptiles org         +1 416 410-5633 ]
[ Now with more and longer words for your reading enjoyment. ]




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: