[lug] Ancient RH box hacked, which packages must be updated?
Chip Atkinson
chip at rmpg.org
Fri Mar 26 12:03:53 MST 2004
That's a really good point and possibility. I had a box get cracked and
it was listening on another port. I used netstat to try to find the
listening ports and it was complaining that a legitimate arguement was
invalid. That's when I started poking around and discovered a compromised
set of programs. It was kind of interesting in that the new programs were
wrappers around the original scripts that were moved and renamed.
Once I got a good ps and netstat, I could see the back door daemons
listening on port 1337 (leet).
Chip
On Fri, 26 Mar 2004, Bill Gjestvang wrote:
> If the box has been rooted, there are probably backdoors installed. He
> may not be coming in the way he originally got in.
> -Bill Gjestvang
>
> Bear Giles said:
> > Lee Woodworth wrote:
> >> I know that 2 years ago a secondary-DNS server in Golden was
> >> hacked. The box was running RH6 with an old SSH. The hack was
> >> thgough SSH. IIRC there was some weakness in version 1 of the
> >> protocol and the RH6 sshd only supported version 1.
> >
> > We don't know how the guy is getting in, only that it's not
> > through one of the services we've already shut down. I thought we had
> > updated ssh to 3.6 a while back, but it seems to still be
> > running 3.5.
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
>
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
More information about the LUG
mailing list