Sounds like you've had quite a little adventure Jiva. Yes, -lp will give
you the listen ports.
John Kloian III
____________________________________________________________________________
Vice President/CIO Wired Global Communications, Inc.
Phone: 602.674.9900 ext. 103 "Specializing in Open Source Network Solutions"
Fax: 602.674.8725 http://www.wiredglobal.net
On Fri, 3 Mar 2000
jiva@devware.com wrote:
> I'm not sure which packages were actually exploited, but I know that
> on at least one of the machines both the FTP d and the named were old,
> and had known root exploits. I suspect the other machine had the same
> issues. On one of the machines, we ran a nessus scan on it, and found
> mysteriously, on port 516 a telnet daemon running. We attempted to
> connect to it, and found that it logged in the /var/log/secure as
> in.taskd, but we could find no other references to it. Did a locate
> for taskd, and locate said it was in /usr/sbin/in.taskd but it wasn't!
> We'd also noticed some weird behavior such as top not working right
> anymore and netstat not working right etc (red flags).
>
> So we did a bit more looking, and then I started thinking, well, if
> it's logging in secure, it must be running through inetd, but we
> didn't find anything in inetd.conf. Sooo, I did a locate for inetd to
> see if maybe I could tell anything from that, and lo and behold, there
> was a SECOND inetd in "/usr/ /tools" ! (yes, that's a space there,
> isn't that clever? ;D) Soo, I did a bit more looking, and yep, that
> was how he came back after the initial sploit. He had a nifty little
> script that would cover his tracks by removing his traces from secure
> etc.
>
> Anyway, he wasn't that great because though he replaced all the
> naughty bits, he didn't update the RPM database, and so a quicky rpm
> --verify -a gave me a list of all the core files that have been
> changed. We're checking that out right now to determine if we should
> just to a full reinstall.
>
> Speaking of which, what's the commandline for netstat to give you a
> listing of all the listening ports? Is it netstat -lp?
>
> On Fri, Mar 03, 2000 at 01:05:07AM -0700, Jay wrote:
> >
> >
> > Hey Jiva. Although I don't keep up on the RH stuff, I think I saw
> > something like this come across the daily Freshmeat batch within the last
> > week or so. You may want to do a search over there.
> >
> > Question -- What packages were sploited on their systems? Share with the
> > rest of us some of the details so that we can all make sure we're up to
> > date... :)
> >
> > ~Jay
> >
> >
> > On Fri, 3 Mar 2000 jiva@devware.com wrote:
> >
> > > 2 count em 2 of my friends running linux discovered tonight their
> > > machines had been rooted! And the only reason was because they didn't
> > > keep their packages up to date. Does anyone know of a script that'll
> > > get just the latest security fixes on RedHat?
> >
> > - J a y J a c o b s o n
> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > - President / CEO Wired Global Communications, Inc.
> > - Fax: 602.674.8725 Internet Engineering Solutions
> > - Voice: 602.674.9900 http://www.wiredglobal.net
> >
> > In a world where an admin is rendered useless when the ball in his mouse
> > has been taken out, it is good to know that I know UNIX.
> >
> >
> > _______________________________________________
> > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> petribar:
> Any sun-bleached prehistoric candy that has been sitting in
> the window of a vending machine too long.
> -- Rich Hall, "Sniglets"
>
> _______________________________________________
> Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
(text/plain)