[lug] Addendum to Cracked system
Chip Atkinson
chip at rmpg.org
Fri Sep 1 18:28:53 MDT 2000
The shell965 is actually the bind.sh program which hangs out on port 60000
Chip
On Fri, 1 Sep 2000, Chip Atkinson wrote:
> Greetings,
>
> I discovered that a machine in my charge has been totally cracked. I
> believe that they went in via some exploit in bind. There is a bind RPM
> in the cracker's working directory of bind-8_2_2_P3-1_i386.rpm.
>
> The root kit that they installed only replaced /bin/login and /bin/ps, but
> installed all kinds of things for remote denial of service and other
> things. There was also a process called shell965, which was being
> screened out by the ps.
>
> To see if you have this problem, check for
> /usr/bin/h2so4 and
> dev/...32865e73tbvefgdsgft3r5etgDSFGSDGdg
>
> These are the original ps and login that were wrapped by the new ps and
> login scripts.
>
> FWIW,
> Chip
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
More information about the LUG
mailing list