[lug] Interesting Crash Report

D. Stimits stimits at idcomm.com
Tue Mar 20 17:17:49 MST 2001 

Your rpc ports were cracked. Your only real choice is a complete
reinstall, maybe saving data. You might want to search through
/etc/services for the word "rpc" on the new install, and firewall all of
these from any host that isn't guaranteed to need it. Do *not* reconnect
to any network without the most recent version of all nfs utils. Just in
case the cracker didn't remove all log entries, save a copy of any
/var/log/ files, and look for anything near the end that might give you
an idea of who else to firewall.

FYI, I see daily attempts at my rpc ports, especially 111. Some are port
scans, others appear to be actual attempts at entry. Anyone without
*current* rpc programs for NFS, or without properly firewalled rpc, will
get cracked, it is only a matter of time. I've denied about two dozen
/24 domains just because I dislike seeing anything hit port 111 (the
first packet gets them blocked).

D. Stimits, stimits at idcomm.com

David wrote:
> 
> Well, I do not now if what follows really is interesting; but it has
> consumed my time quite effectively.  At one point it occurred to me
> that the damage might be due to a virus.
> 
> I turn off my machine at the end of each day, and re-boot the next
> time I want to use it; I am using RedHat 6.2.  Last evening I shut
> down, essentially normally; although I did notice that statd failed,
> whatever that means, and I was having some problem with communicating
> with my ISP immediately before shutting down.
> 
> This morning I could not log in.  The software came up properly to the
> point of the login prompt; but that was it; thereafter I could not log
> in as anybody; there are three accounts, including root, on my
> machine.  I did not try booting from a floppy because the machine had
> booted.
> 
> I have a "spare" installation of Linux on another disc, so I was able
> to get going.  I poked around looking for files that were altered
> yesterday; and, sure enough, /bin/login was dated Mar 19 and the ls
> entry looked different from that in the spare Linux.  I copied over
> the spare, re-booted, and everything appears to be fine.
> 
> Here is the original login entry (the .orig I added before doing the
> copy), I do not have user 500, nor group 500:
> 
> -r-sr-xr-x   1 500      500         20452 Mar 19 22:43 login.orig*
> 
> And here is the copied entry, that works; it is dated Mar 7 2000 in
> the spare Linux.
> 
> -rwxr-xr-x   1 root     root        20452 Mar 20 22:08 login*
> 
> Any comments?  What does the stat daemon do?
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list