[lug] Cracked system
Chip Atkinson
chip at rmpg.org
Fri Sep 1 18:18:04 MDT 2000
Greetings,
I discovered that a machine in my charge has been totally cracked. I
believe that they went in via some exploit in bind. There is a bind RPM
in the cracker's working directory of bind-8_2_2_P3-1_i386.rpm.
The root kit that they installed only replaced /bin/login and /bin/ps, but
installed all kinds of things for remote denial of service and other
things. There was also a process called shell965, which was being
screened out by the ps.
To see if you have this problem, check for
/usr/bin/h2so4 and
dev/...32865e73tbvefgdsgft3r5etgDSFGSDGdg
These are the original ps and login that were wrapped by the new ps and
login scripts.
FWIW,
Chip
More information about the LUG
mailing list