Security Incidents mailing list archives
Re: hpd, afb, sc, and sn
From: gminick <gminick () underground org pl>
Date: Sat, 21 Dec 2002 11:53:33 +0100
On Fri, Dec 20, 2002 at 02:11:31PM -0700, Gordon Chamberlin wrote:
I found suspicious looking files on a Redhat 7.1 Linux server earlier today. Can anyone confirm or deny that the machine has been hacked?
Yes, you've been cracked, but it's hard to say what toolkit was used since I've never heard of any that's using binaries such as afb, sn or sc. Can you provide these files to us (put it on WWW or sth like that) ?
namp reports the following ports open: Port State Service 5/tcp open rje
[...]
8009/tcp open ajp13
Anyone know about this hack, what afb does and/or how they usually get in?
It's important to determine what services you've been providing before attack. From nmap's output we can say that vulnerabilities (for example) in sunrpc or your ssh server or DNS server were used to get in. -- [ ] gminick (at) underground.org.pl http://gminick.linuxsecurity.pl/ [ ] [ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- hpd, afb, sc, and sn Gordon Chamberlin (Dec 20)
- Re: hpd, afb, sc, and sn gminick (Dec 23)
- Re: hpd, afb, sc, and sn Greg Barnes (Dec 23)
- Re: hpd, afb, sc, and sn Brad Arlt (Dec 23)
- RE: hpd, afb, sc, and sn Bojan Zdrnja (Dec 23)
- Re: hpd, afb, sc, and sn deadcalm (Dec 23)