Security Incidents mailing list archives

Re: RedHat compromise

From: "Matteo,Marc A." <mmatteo () FUSIONSTORM COM>
Date: Tue, 20 Feb 2001 09:23:29 -0800

Known files modified:
    /etc/inetd.conf:  Line added "smbd2    stream    tcp    
nowait    root    /usr/sbin/in.smb    in.smb"
    /etc/services:    Line added "smbd2    54321/tcp    # Samba"
    crontab table for root:  executes /usr/sbin/init every 5 
minutes (the init program resides on /sbin/init and was untouched)


This looks to be the same MO as another box I've seen.  That smb binary
is a modified telnetd (and I believe the password is "Sh!t").  And yeas,
it was probably the Bind hole that got you.

BTW: use fsck to check your partition map before you reboot... you
probably don't have one anymore :)

Marc

Current thread:

RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
  - Re: RedHat compromise Jim Roland (Feb 20)
  - Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
  - Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
  - Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
  - Re: RedHat compromise Andreas Östling (Feb 20)
    - Re: RedHat compromise Jim Roland (Feb 20)
    - Re: RedHat compromise Jim Roland (Feb 21)
    - Re: RedHat compromise Daniel Martin (Feb 21)
  - Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Justin Shore (Feb 21)