I missed the details about your system; could you please re-iterate, if
you already did, the details of the box that was hacked into? For exable,
what daemons does that machine typically run? What versions of
software: e.g, os version, daemon versions, and other versions you can
think of. How many accounts on it? How do you think the hacker was able
to break into your system?
Thanks
robert
On Mon, 1 May 2000, David Knaack wrote:
> From: David Knaack <[EMAIL PROTECTED]>
> > I seem to have misconfigured my linux box such that no
> > users can log over telnet or on the console, but I can
> > FTP in, and mail still works.
>
> Just an update, for anyone who might be interested.
>
> Turns out that the box had been rooted via named, the login,
> ps, and netstat apps changed, and a backdoor app called in.sys
> installed with an entry in inittab added to load it. in.sys
> opened a listening port on 37331, ps would not list the in.sys
> process, and netstat would not list the port (actually, ps -A
> didn't work at all, nor did netstat -lp).
>
> The box was compromised on April 8th, just days after I
> put it up. I was not sure that it was compromised, but
> I disconnected the NIC connected to our internal network
> as soon as I discovered that I could not log in (within
> 12 hours of the hack).
>
> Until April 28th I was unable to log in without booting
> to single mode, however, the hacker kindly installed a
> custom version of login that locked out only root and
> my usual user account (and it printed 'slkd' on failed
> logins). That made it very obvious that the changes
> were not due to a misconfiguration on my part, and from
> there tracking down the changes were fairly easy. Had
> the hacker gone to more trouble to make sure that the
> replaced files looked and worked as precisely as the
> originals as possible, the recovery would have been more
> difficult. On the other hand, perhaps it was a
> particularly savvy hacker and he and has replaced other
> files such that they are well hidden, then left these
> out as a decoy :)
>
> Either way, that box will be under close supervision.
>
> DK
>
>
Robert Johannes
Systems Administrator
Kairos-Damango Internet Services Inc.
1300 Godward Street suite 3200
Minneapolis, MN 55413
