[Plug-security] I'm Cracked

[Furmanek, Greg]

Pretty good summary.

The Wolf

-> -----Original Message-----
-> From: Brian Cluff [mailto:brian@snaptek.com]
-> Sent: Tuesday, August 15, 2000 3:27 PM
-> To: plug-security@lists.PLUG.phoenix.az.us
-> Subject: Re: [Plug-security] I'm Cracked
-> 
-> 
-> do a rpm -Va
-> and look at all the programs that got changed, most of the 
-> root kits that
-> are going around affect login, ps,top,lsof,chsh,chfn, 
-> find,ls,who,w,last
-> ....etc.etc... you can bet that your ls and find aren't 
-> going to report any
-> "..." directories or anyplace else that they don't want to to see.
-> 
-> Try either replaceing the rpm that contains ls and and do an 
-> ls of the /dev
-> directory.  I would be willing to bet that there is either a 
-> ... directory
-> or some other mysterious directory that should be there.
-> An alternative to re-installing ls would be to do 
-> /home/ftp/bin/ls as they
-> usually don't touch that version of ls.
-> 
-> You will definatly want to get all those programs fixed as 
-> most of them are
-> trojans and backdoor for regaining root access.
-> 
-> Do a port scan and check to see if you have a rogue telnet 
-> running on a
-> strange port, offering root to whoever telnets to it.
-> 
-> after re-installing ps, check for a password sniffer.  You 
-> will probably
-> find the list of sniffed passwords somewhere in the 
-> /dev/mystery directory.
-> 
-> last but not least, check for added lines to your rc.local 
-> file that will
-> re-hack you at startup.
-> 
-> thats as much as I can remember/have time to type off the 
-> top of my head
-> about most of the script kiddy stuff going around these days.
-> 
-> Brian Cluff
-> ----- Original Message -----
-> > It didn't take long, but my Red Hat 6.2 installation has
-> > been cracked.  I did a basic install and nothing else.
-> > It appears as though somebody did an anonymous 'ftp'
-> > and did something that allowed them to create two
-> > accounts (scam and x).  I cannot find any other files
-> > that may have been copied onto the machine.  The machine
-> > will be re-installed sometime soon, but at this moment
-> > the only thing I've done is remove 'ftp' from /etc/passwd,
-> > deleted bogus accounts, and changed passwords on the
-> > remaining user accounts.  I'd like to do checksums
-> > to see if programs such as passwd and login have been
-> > replaced, but that is for another time.
-> >
-> > Does anybody know how this crack was accomplished?
-> >
-> > Thanks.
-> >
-> > G.D.Thurman [CS/CIS Instructor]  Scottsdale Community College
-> > phone:  480.423.6110    fax:  480.423.6101     icq:  65265811
-> > http://www.inficad.com/~thurmunit/      thurmunit@inficad.com
-> >
-> >
-> > _______________________________________________
-> > Plug-security mailing list  -  
-> Plug-security@lists.PLUG.phoenix.az.us
-> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
-> 
-> 
-> _______________________________________________
-> Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
-> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
->