RE: Red Hat Linux 5.0 was hacked

Thu, 4 Mar 1999 07:43:00 -0500 

Hi!

you wrote:
>Date: Mon, 01 Mar 1999 18:04:14 -0800
>From: Randy Bunchun Lim <[EMAIL PROTECTED]>
>Subject: Red Hat Linux 5.0 was hacked
>
>Hi,
>
>This morning I found out that the gateway(running Red hat Linux 5.0 with
>10.0.0.X and 12.9.165.X) had been hacked. In the /etc/passwd, there are
>two new accounts created for Malk and Malk2 respectively and their home
>directory was /tmp. Also for /etc/inetd.conf, the following two lines
>are repeated again at the bottem of /etc/inetd.conf.
>ftp    stream  tcp     nowait  root    /usr/sbin/tcpd  in.ftpd -l -a
>telnet stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd
>
too bad for you ;-> 
the question is how they got in. This may be the result of a
vulnerability
in one of your daemons, e.g. imapd or whatever you have running on your
box.
Best thing to do is running an ISS systems scanner to determine which
files
have been tempered with. This is available for most unix�s incl. Linux.
You can go for an inexpensive engagement license (30 days).
Alternatively
you could install tripwire and check for any differences after the
breakin,
provided you created a baseline database BEFORE the event happened!
Also useful is the compromise script from Christopher Klaus:
        ftp://ftp.iss.net/pub/faq/compromise 
If you are not sure which binaries have been changed, reinstall from
scratch!

>Are there any tools I can use to check if someone is cracking the root's
>password.
yes, again the system scanner would tell you that
> Also I want to know if the intruder was inside of my local
>network or far from the internet since I have installed IP packet filter
>on the other gateway! Any sniffer recommended?
yes, an IDS would fit in here, e.g. ISS RealSecure (unfortunately not
yet?
available for Linux). Looking for sniffers please check
        ftp://ftp.iss.net/pub/faq/sniff

Watch out!
Karl
-- 
email: [EMAIL PROTECTED]
BDG - The Business Development Group
Wir bringen Sicherheit ins Netz
Maarweg 165
D-50825 Cologne, Germany
Tel. +49-221-954231-0
Fax. +49-221-954231-31
http://www.bdg.de


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to