Damn. Sorry to see this happen to one of our own. Try: netstat -a lsof It seems like on Fri, Mar 03, 2000 at 02:09:06AM -0700, jiva@devware.com scribbled: Orig Msg> I'm not sure which packages were actually exploited, but I know that Orig Msg> on at least one of the machines both the FTP d and the named were old, Orig Msg> and had known root exploits. I suspect the other machine had the same Orig Msg> issues. On one of the machines, we ran a nessus scan on it, and found Orig Msg> mysteriously, on port 516 a telnet daemon running. We attempted to Orig Msg> connect to it, and found that it logged in the /var/log/secure as Orig Msg> in.taskd, but we could find no other references to it. Did a locate Orig Msg> for taskd, and locate said it was in /usr/sbin/in.taskd but it wasn't! Orig Msg> We'd also noticed some weird behavior such as top not working right Orig Msg> anymore and netstat not working right etc (red flags). Orig Msg> Orig Msg> So we did a bit more looking, and then I started thinking, well, if Orig Msg> it's logging in secure, it must be running through inetd, but we Orig Msg> didn't find anything in inetd.conf. Sooo, I did a locate for inetd to Orig Msg> see if maybe I could tell anything from that, and lo and behold, there Orig Msg> was a SECOND inetd in "/usr/ /tools" ! (yes, that's a space there, Orig Msg> isn't that clever? ;D) Soo, I did a bit more looking, and yep, that Orig Msg> was how he came back after the initial sploit. He had a nifty little Orig Msg> script that would cover his tracks by removing his traces from secure Orig Msg> etc. Orig Msg> Orig Msg> Anyway, he wasn't that great because though he replaced all the Orig Msg> naughty bits, he didn't update the RPM database, and so a quicky rpm Orig Msg> --verify -a gave me a list of all the core files that have been Orig Msg> changed. We're checking that out right now to determine if we should Orig Msg> just to a full reinstall. Orig Msg> Orig Msg> Speaking of which, what's the commandline for netstat to give you a Orig Msg> listing of all the listening ports? Is it netstat -lp? Orig Msg> Orig Msg> On Fri, Mar 03, 2000 at 01:05:07AM -0700, Jay wrote: Orig Msg> > Orig Msg> > Orig Msg> > Hey Jiva. Although I don't keep up on the RH stuff, I think I saw Orig Msg> > something like this come across the daily Freshmeat batch within the last Orig Msg> > week or so. You may want to do a search over there. Orig Msg> > Orig Msg> > Question -- What packages were sploited on their systems? Share with the Orig Msg> > rest of us some of the details so that we can all make sure we're up to Orig Msg> > date... :) Orig Msg> > Orig Msg> > ~Jay Orig Msg> > Orig Msg> > Orig Msg> > On Fri, 3 Mar 2000 jiva@devware.com wrote: Orig Msg> > Orig Msg> > > 2 count em 2 of my friends running linux discovered tonight their Orig Msg> > > machines had been rooted! And the only reason was because they didn't Orig Msg> > > keep their packages up to date. Does anyone know of a script that'll Orig Msg> > > get just the latest security fixes on RedHat? Orig Msg> > JLF Sends... This message brought to you by Master Forrest the Grump: "Evil is, what evil does."