From: David Knaack <[EMAIL PROTECTED]>
> I seem to have misconfigured my linux box such that no
> users can log over telnet or on the console, but I can
> FTP in, and mail still works.
Just an update, for anyone who might be interested.
Turns out that the box had been rooted via named, the login,
ps, and netstat apps changed, and a backdoor app called in.sys
installed with an entry in inittab added to load it. in.sys
opened a listening port on 37331, ps would not list the in.sys
process, and netstat would not list the port (actually, ps -A
didn't work at all, nor did netstat -lp).
The box was compromised on April 8th, just days after I
put it up. I was not sure that it was compromised, but
I disconnected the NIC connected to our internal network
as soon as I discovered that I could not log in (within
12 hours of the hack).
Until April 28th I was unable to log in without booting
to single mode, however, the hacker kindly installed a
custom version of login that locked out only root and
my usual user account (and it printed 'slkd' on failed
logins). That made it very obvious that the changes
were not due to a misconfiguration on my part, and from
there tracking down the changes were fairly easy. Had
the hacker gone to more trouble to make sure that the
replaced files looked and worked as precisely as the
originals as possible, the recovery would have been more
difficult. On the other hand, perhaps it was a
particularly savvy hacker and he and has replaced other
files such that they are well hidden, then left these
out as a decoy :)
Either way, that box will be under close supervision.
DK
