[Plug-security] I'm Cracked

Brian Cluff brian@snaptek.com
Tue, 15 Aug 2000 15:27:11 -0700 

do a rpm -Va
and look at all the programs that got changed, most of the root kits that
are going around affect login, ps,top,lsof,chsh,chfn, find,ls,who,w,last
....etc.etc... you can bet that your ls and find aren't going to report any
"..." directories or anyplace else that they don't want to to see.

Try either replaceing the rpm that contains ls and and do an ls of the /dev
directory.  I would be willing to bet that there is either a ... directory
or some other mysterious directory that should be there.
An alternative to re-installing ls would be to do /home/ftp/bin/ls as they
usually don't touch that version of ls.

You will definatly want to get all those programs fixed as most of them are
trojans and backdoor for regaining root access.

Do a port scan and check to see if you have a rogue telnet running on a
strange port, offering root to whoever telnets to it.

after re-installing ps, check for a password sniffer.  You will probably
find the list of sniffed passwords somewhere in the /dev/mystery directory.

last but not least, check for added lines to your rc.local file that will
re-hack you at startup.

thats as much as I can remember/have time to type off the top of my head
about most of the script kiddy stuff going around these days.

Brian Cluff
----- Original Message -----
> It didn't take long, but my Red Hat 6.2 installation has
> been cracked.  I did a basic install and nothing else.
> It appears as though somebody did an anonymous 'ftp'
> and did something that allowed them to create two
> accounts (scam and x).  I cannot find any other files
> that may have been copied onto the machine.  The machine
> will be re-installed sometime soon, but at this moment
> the only thing I've done is remove 'ftp' from /etc/passwd,
> deleted bogus accounts, and changed passwords on the
> remaining user accounts.  I'd like to do checksums
> to see if programs such as passwd and login have been
> replaced, but that is for another time.
>
> Does anybody know how this crack was accomplished?
>
> Thanks.
>
> G.D.Thurman [CS/CIS Instructor]  Scottsdale Community College
> phone:  480.423.6110    fax:  480.423.6101     icq:  65265811
> http://www.inficad.com/~thurmunit/      thurmunit@inficad.com
>
>
> _______________________________________________
> Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security