Security Incidents mailing list archives

Re: strange telnet behavior

From: Paul Gear <paulgear () bigfoot com>
Date: Sat, 23 Feb 2002 07:09:01 +1000

Gideon Lenkey wrote:

On Tue, 19 Feb 2002, Bryan Andersen wrote:

/* Make a backup. wipe and reload.  Then restore your data only.
/* It has been rooted.  Telnet should not be doing that at all.

You really don't have to wipe and reload to recover from this root kit.
It really doesn't change much. See the instructions in the archive:

        http://online.securityfocus.com/archive/75/249597


Those instructions may be sufficient for cleaning up the residue of the
*attack*, but because it's a root kit, they could have done anything to the
system.  Unless you know _exactly_ what they've done (which is highly unlikely
unless you're running full auditing), standard practice after any root
compromise should be to reinstall and restore from backup.

Paul
http://paulgear.webhop.net



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

strange telnet behavior Vladimir Ivaschenko (Feb 18)
- Re: strange telnet behavior Pavel Kankovsky (Feb 20)
  - Re: strange telnet behavior Vladimir Ivaschenko (Feb 20)
- Re: strange telnet behavior Bryan Andersen (Feb 20)
  - Re: strange telnet behavior Gideon Lenkey (Feb 22)
    - Re: strange telnet behavior Paul Gear (Feb 24)
- Re: strange telnet behavior tfm (Feb 20)
  - Solaris hack Jamie Lawrence (Feb 22)
    - RE: Solaris hack Glenn Pitcher (Feb 24)
    - strange udp packets Jason Robertson (Feb 24)
    - Re: Solaris hack Matt K. (Feb 24)
    - Re: Solaris hack Christopher X. Candreva (Feb 25)
    - Re: Solaris hack Steve Huston (Feb 28)
    - Re: Solaris hack Valdis . Kletnieks (Feb 24)
    - Re: Solaris hack Eric Brandwine (Feb 25)
  - Re: strange telnet behavior Raistlin (Feb 23)

(Thread continues...)