Something must be done! (Security)
Jake Johnson
johnsj20@linuxcentral.cx
Fri, 3 Mar 2000 20:27:22 -0600 (CST)
Sorry about your system, but I would recommend using Red Hat's up2date
program and it will update your system for you by finding your old
packages and then allowing you to choose the ones you want to upgrade!
Good Luck,
Jake
Jake R. Johnson
Academic Computing
Information Technology Desktop Support Intern
Phone 424-3020 (Help-desk will redirect)
On Fri, 3 Mar 2000 jiva@devware.com wrote:
> I'm not sure which packages were actually exploited, but I know that
> on at least one of the machines both the FTP d and the named were old,
> and had known root exploits. I suspect the other machine had the same
> issues. On one of the machines, we ran a nessus scan on it, and found
> mysteriously, on port 516 a telnet daemon running. We attempted to
> connect to it, and found that it logged in the /var/log/secure as
> in.taskd, but we could find no other references to it. Did a locate
> for taskd, and locate said it was in /usr/sbin/in.taskd but it wasn't!
> We'd also noticed some weird behavior such as top not working right
> anymore and netstat not working right etc (red flags).
>
> So we did a bit more looking, and then I started thinking, well, if
> it's logging in secure, it must be running through inetd, but we
> didn't find anything in inetd.conf. Sooo, I did a locate for inetd to
> see if maybe I could tell anything from that, and lo and behold, there
> was a SECOND inetd in "/usr/ /tools" ! (yes, that's a space there,
> isn't that clever? ;D) Soo, I did a bit more looking, and yep, that
> was how he came back after the initial sploit. He had a nifty little
> script that would cover his tracks by removing his traces from secure
> etc.
>
> Anyway, he wasn't that great because though he replaced all the
> naughty bits, he didn't update the RPM database, and so a quicky rpm
> --verify -a gave me a list of all the core files that have been
> changed. We're checking that out right now to determine if we should
> just to a full reinstall.
>
> Speaking of which, what's the commandline for netstat to give you a
> listing of all the listening ports? Is it netstat -lp?
>
> On Fri, Mar 03, 2000 at 01:05:07AM -0700, Jay wrote:
> >
> >
> > Hey Jiva. Although I don't keep up on the RH stuff, I think I saw
> > something like this come across the daily Freshmeat batch within the last
> > week or so. You may want to do a search over there.
> >
> > Question -- What packages were sploited on their systems? Share with the
> > rest of us some of the details so that we can all make sure we're up to
> > date... :)
> >
> > ~Jay
> >
> >
> > On Fri, 3 Mar 2000 jiva@devware.com wrote:
> >
> > > 2 count em 2 of my friends running linux discovered tonight their
> > > machines had been rooted! And the only reason was because they didn't
> > > keep their packages up to date. Does anyone know of a script that'll
> > > get just the latest security fixes on RedHat?
> >
> > - J a y J a c o b s o n
> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > - President / CEO Wired Global Communications, Inc.
> > - Fax: 602.674.8725 Internet Engineering Solutions
> > - Voice: 602.674.9900 http://www.wiredglobal.net
> >
> > In a world where an admin is rendered useless when the ball in his mouse
> > has been taken out, it is good to know that I know UNIX.
> >
> >
> > _______________________________________________
> > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> --
> petribar:
> Any sun-bleached prehistoric candy that has been sitting in
> the window of a vending machine too long.
> -- Rich Hall, "Sniglets"
>
> _______________________________________________
> Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>