Security Incidents mailing list archives
Re: SSH Attempts: Link to RedHat?
From: jon schatz <jon () divisionbyzero com>
Date: 17 Dec 2001 16:26:49 -0800
On Mon, 2001-12-17 at 15:50, Gregg Sperling wrote:
Surprisingly, I have had several pleasant exchanges with the individual who runs the server. He has offered to allow me access into his server with root access.
you're kidding me.
Besides checking the standard /var/log/messages log, are there any suggestions as to where I should check for possible breaches in this individual's system?
i'd check the integrity of the installed rpms: [jon@devotchka jon]$ for i in `rpm -qa`; do rpm -V $i; done i'd also look for recent additions in /dev (which seems to be the directory of choice for rootkits): [jon@devotchka /dev]$ ls -tla|more in fact, you could check file mod times on the whole system to be totally sure. i'd also check what ports were open on the local machine, who was currently connected, and what actual processes were responsible for those ports: [jon@devotchka /dev]$ netstat -na --inet [jon@devotchka /dev]$ lsof |grep LISTEN now the bigger problem is that someone who admins a public linux box would offer root access to a (basically) complete stranger from the interweb. you stated that he had ftp + telnet open (amongst others). RH hasn't enabled telnet by default in a while (i believe ssh has been the default since 7.0). So we're most likely looking at a box running outdated software run by an inexperienced admin. not a particularly hard target from a script kiddie pov. then again, maybe you'll find the fabled openssh2 remote exploit... hope this helps. -jon -- jon () divisionbyzero com || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
Attachment:
_bin
Description:
Current thread:
- SSH Attempts: Link to RedHat? Gregg Sperling (Dec 17)
- Re: SSH Attempts: Link to RedHat? John Oliver (Dec 18)
- Re: SSH Attempts: Link to RedHat? jon schatz (Dec 18)
- Re: SSH Attempts: Link to RedHat? Dave Dittrich (Dec 18)
- Re: SSH Attempts: Link to RedHat? Holger van Lengerich (paderLinx GmbH) (Dec 19)
- Re: SSH Attempts: Link to RedHat? Dave Dittrich (Dec 18)
- Re: SSH Attempts: Link to RedHat? Rodrigo Barbosa (Dec 19)
- <Possible follow-ups>
- RE: SSH Attempts: Link to RedHat? Montz, James C. (James Tower) (Dec 18)