I'm not sure which packages were actually exploited, but I know that on at least one of the machines both the FTP d and the named were old, and had known root exploits. I suspect the other machine had the same issues. On one of the machines, we ran a nessus scan on it, and found mysteriously, on port 516 a telnet daemon running. We attempted to connect to it, and found that it logged in the /var/log/secure as in.taskd, but we could find no other references to it. Did a locate for taskd, and locate said it was in /usr/sbin/in.taskd but it wasn't! We'd also noticed some weird behavior such as top not working right anymore and netstat not working right etc (red flags). So we did a bit more looking, and then I started thinking, well, if it's logging in secure, it must be running through inetd, but we didn't find anything in inetd.conf. Sooo, I did a locate for inetd to see if maybe I could tell anything from that, and lo and behold, there was a SECOND inetd in "/usr/ /tools" ! (yes, that's a space there, isn't that clever? ;D) Soo, I did a bit more looking, and yep, that was how he came back after the initial sploit. He had a nifty little script that would cover his tracks by removing his traces from secure etc. Anyway, he wasn't that great because though he replaced all the naughty bits, he didn't update the RPM database, and so a quicky rpm --verify -a gave me a list of all the core files that have been changed. We're checking that out right now to determine if we should just to a full reinstall. Speaking of which, what's the commandline for netstat to give you a listing of all the listening ports? Is it netstat -lp? On Fri, Mar 03, 2000 at 01:05:07AM -0700, Jay wrote: > > > Hey Jiva. Although I don't keep up on the RH stuff, I think I saw > something like this come across the daily Freshmeat batch within the last > week or so. You may want to do a search over there. > > Question -- What packages were sploited on their systems? Share with the > rest of us some of the details so that we can all make sure we're up to > date... :) > > ~Jay > > > On Fri, 3 Mar 2000 jiva@devware.com wrote: > > > 2 count em 2 of my friends running linux discovered tonight their > > machines had been rooted! And the only reason was because they didn't > > keep their packages up to date. Does anyone know of a script that'll > > get just the latest security fixes on RedHat? > > - J a y J a c o b s o n > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > - President / CEO Wired Global Communications, Inc. > - Fax: 602.674.8725 Internet Engineering Solutions > - Voice: 602.674.9900 http://www.wiredglobal.net > > In a world where an admin is rendered useless when the ball in his mouse > has been taken out, it is good to know that I know UNIX. > > > _______________________________________________ > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- petribar: Any sun-bleached prehistoric candy that has been sitting in the window of a vending machine too long. -- Rich Hall, "Sniglets"