[lug] Hacked SSH Daemon
dio2002 at indra.com
dio2002 at indra.com
Fri Sep 7 20:01:16 MDT 2007
>> If you want to have some fun, it's usually pretty easy to follow the
>> tracks of a hacker. You can usually find the hacker's tracks and
>> back-track them and see how he got in so you can protect yourself in the
>> future and on other machines. Check log files, .history, scan for files
>> modified by date, dot-files are used frequently, ... Nowadays, linux
>> machines are pretty secure, but root compromises still happen from time
>> to time.
>
> I'm guessing since the other package that has major problems with RPM -V
> is webmin that it was the entry point.
>
> It appears to me that they used WebMin to drop the trojaned SSH daemon
> in place, and then erased WebMin to keep anyone else from doing it.
I'm curious about the trackback procedure you used to discern this.
Obviously the size tipped you off and maybe you stopped right there. But
if you used any other methods to trace the actions, including the logs
mentioned above, i'd like to know what steps you took and any logs you
found clues in (if you have the time).
thanks
More information about the LUG
mailing list