Heh, yeah, like I said, they weren't actually *my* machines that had the problems, but you can bet that I ran a security scan on all my boxes last night just to be safe. ;D On Fri, Mar 03, 2000 at 09:10:09AM -0700, John Kloian III wrote: > Sounds like you've had quite a little adventure Jiva. Yes, -lp will give > you the listen ports. > > John Kloian III > ____________________________________________________________________________ > Vice President/CIO Wired Global Communications, Inc. > Phone: 602.674.9900 ext. 103 "Specializing in Open Source Network Solutions" > Fax: 602.674.8725 http://www.wiredglobal.net > > > > > > > On Fri, 3 Mar 2000 jiva@devware.com wrote: > > > I'm not sure which packages were actually exploited, but I know that > > on at least one of the machines both the FTP d and the named were old, > > and had known root exploits. I suspect the other machine had the same > > issues. On one of the machines, we ran a nessus scan on it, and found > > mysteriously, on port 516 a telnet daemon running. We attempted to > > connect to it, and found that it logged in the /var/log/secure as > > in.taskd, but we could find no other references to it. Did a locate > > for taskd, and locate said it was in /usr/sbin/in.taskd but it wasn't! > > We'd also noticed some weird behavior such as top not working right > > anymore and netstat not working right etc (red flags). > > > > So we did a bit more looking, and then I started thinking, well, if > > it's logging in secure, it must be running through inetd, but we > > didn't find anything in inetd.conf. Sooo, I did a locate for inetd to > > see if maybe I could tell anything from that, and lo and behold, there > > was a SECOND inetd in "/usr/ /tools" ! (yes, that's a space there, > > isn't that clever? ;D) Soo, I did a bit more looking, and yep, that > > was how he came back after the initial sploit. He had a nifty little > > script that would cover his tracks by removing his traces from secure > > etc. > > > > Anyway, he wasn't that great because though he replaced all the > > naughty bits, he didn't update the RPM database, and so a quicky rpm > > changed. We're checking that out right now to determine if we should > > just to a full reinstall. > > > > Speaking of which, what's the commandline for netstat to give you a > > listing of all the listening ports? Is it netstat -lp? > > > > On Fri, Mar 03, 2000 at 01:05:07AM -0700, Jay wrote: > > > > > > > > > Hey Jiva. Although I don't keep up on the RH stuff, I think I saw > > > something like this come across the daily Freshmeat batch within the last > > > week or so. You may want to do a search over there. > > > > > > Question -- What packages were sploited on their systems? Share with the > > > rest of us some of the details so that we can all make sure we're up to > > > date... :) > > > > > > ~Jay > > > > > > > > > On Fri, 3 Mar 2000 jiva@devware.com wrote: > > > > > > > 2 count em 2 of my friends running linux discovered tonight their > > > > machines had been rooted! And the only reason was because they didn't > > > > keep their packages up to date. Does anyone know of a script that'll > > > > get just the latest security fixes on RedHat? > > > > > > - J a y J a c o b s o n > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > - President / CEO Wired Global Communications, Inc. > > > - Fax: 602.674.8725 Internet Engineering Solutions > > > - Voice: 602.674.9900 http://www.wiredglobal.net > > > > > > In a world where an admin is rendered useless when the ball in his mouse > > > has been taken out, it is good to know that I know UNIX. > > > > > > > > > _______________________________________________ > > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > > > > _______________________________________________ > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- A woman can never be too rich or too thin.