Security Incidents mailing list archives
Intrusion reported on NANOG
From: "Mike Lewinski" <mike () rockynet com>
Date: Thu, 23 Aug 2001 11:09:29 -0600
----- Original Message ----- From: "Jim Mercer" <jim () reptiles org> To: <nanog () merit edu> Sent: Thursday, August 23, 2001 10:39 AM Subject: resolved Re: should i publish a list of cracked machines?
ok, having seen numerous comments (and numerous requests for the file), i have decided to punt the list to cert.org and let them deal with it. - as much as i'd like to, i don't have the time/energy to run through the list and contact each netadmin. i've walked that trail before while attempting to nip a few DoS attacks. - i will not send the list to anyone other than cert, unless suggestions can be made for other "authorative" groups who will maybe pick up the task of contacting the netadmins in the list my suspicions and some things to look for: - boxes were comprimised using the buffer overflow in telnetd
(speculation)
- my box had a bogus /usr/sbin/nscd (which is not a normal FreeBSD binary) - nscd appears to be a hacked sshd, listening on a 14000 series port - it had its own /etc/ssh_* config files (FreeBSD puts them in
/etc/ssh/ssh_*)
- there was a file in /dev/ptaz which appeared to be DES crypto gunge - there were a bunch of irc/eggdrop related files in a ".e" directory of one of the user's $HOME suggestions for looking about: - do an ls -lta in bindirs, my systems generally have all /bin /usr/bin
files
with the same timestamp - do a "du /dev" and look for anomalies - do a "cd /dev ; ls -l | grep -e-" and look for anomalies - do a "ls -ltra /" (as well as /usr and /usr/local) and look for
anomalies
-- [ Jim Mercer jim () reptiles org +1 416 410-5633 ] [ Now with more and longer words for your reading enjoyment. ]
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Intrusion reported on NANOG Mike Lewinski (Aug 23)