Security Incidents mailing list archives

Re: hpd, afb, sc, and sn

From: gminick <gminick () underground org pl>
Date: Sat, 21 Dec 2002 11:53:33 +0100

On Fri, Dec 20, 2002 at 02:11:31PM -0700, Gordon Chamberlin wrote:

I found suspicious looking files on a Redhat 7.1 Linux server earlier
today.  Can anyone confirm or deny that the machine has been hacked?

Yes, you've been cracked, but it's hard to say what toolkit was
used since I've never heard of any that's using binaries such as
afb, sn or sc. Can you provide these files to us (put it on
WWW or sth like that) ?

namp reports the following ports open:
Port       State       Service
5/tcp      open        rje

[...]

8009/tcp   open        ajp13

Anyone know about this hack, what afb does and/or how they usually get
in?

It's important to determine what services you've been providing
before attack. From nmap's output we can say that vulnerabilities
(for example) in sunrpc or your ssh server or DNS server were used
to get in.

-- 
[ ] gminick (at) underground.org.pl  http://gminick.linuxsecurity.pl/ [ ]
[ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

hpd, afb, sc, and sn Gordon Chamberlin (Dec 20)
- Re: hpd, afb, sc, and sn gminick (Dec 23)
- Re: hpd, afb, sc, and sn Greg Barnes (Dec 23)
- Re: hpd, afb, sc, and sn Brad Arlt (Dec 23)
- RE: hpd, afb, sc, and sn Bojan Zdrnja (Dec 23)
- Re: hpd, afb, sc, and sn deadcalm (Dec 23)