Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: ckcool?

From: "Bob Maccione" <Bob_Maccione () hilton com>
Date: Wed, 20 Feb 2002 16:51:14 -0600
It appears that the he had opened the FTP and Telnet ports on the Linksys
and I noticed a line in the /var/log/messages indicating that root was
aquired via ftp.  (i don't have the disk here right now but am going to
mount it up on a box at home to look at the filesystem).

Luckly it wasn't a professional job since there was a home dir called ckcool
and the .so's that were changed were in there.  There was also a passwd-,
etc in /etc.

I'm going to take the disk back home and will attempt to summarize the
findings.

thanks all,
bobm




-----Original Message-----
From: James <jlotts () gte net>@INTERNET@HHC 
Sent: Wednesday, February 20, 2002 4:34 PM
To:   Bob Maccione
Cc:   incidents () securityfocus com
Subject:      Fw: ckcool?

 <<...>> 
There are not any vulnerabilities that I know of.  He probably had that
server set as a 'DMZ server', which in Linksys terms, means that it is
completely open to the Internet.  Were I to hazzard a guess, it was
probably
changed from the inside.  Do you know if he had the default password set,
or
remote administration enabled?

James


-----Original Message-----
From: Bob Maccione [mailto:Bob_Maccione () hilton com]
Sent: Tuesday, February 19, 2002 8:45 AM
To: 'incidents () securityfocus com'
Subject: ckcool?


I have a friend that got hacked running linux.  Luckly it's an inmature
enough hack that the mess left behind told me what happened.  In this

case
a

user was created called 'ckcool' and then a rootkit was thrown down.

I'm

going to get the disk from him to see what all was done but one thing
puzzled me.  It seems that the password on the Linksys firewall/router

was

also changed.

Has anyone seen/heard of any vulnerabilities in the Linksys Cable/DSL
router/firewalls?

thanks
bob




--------------------------------------------------------------------------
--

This list is provided by the SecurityFocus ARIS analyzer service. For

more

information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com









----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: