On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote:
[snip]
> Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ )
> Interesting ports on dns1.mywork.edu :
> (The 1540 ports scanned but not shown below are in state: closed)
> Port State Service
> 21/tcp openftp
On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote:
[snip]
> Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ )
> Interesting ports on dns1.mywork.edu :
> (The 1540 ports scanned but not shown below are in state: closed)
> Port State Service
> 21/tcp openftp
How does this sound ?
The system has been rebuilt.
It is running Bind 9.2 chroot version on RH 7.2. Someone else built it. I prefer
Debian or OpenBSD. I will add tripwire and chkroot kit to run as a cron
job.
The harddrives will be saved for further investigation at a later date.
Since the hard
How does this sound ?
The system has been rebuilt.
It is running Bind 9.2 chroot version on RH 7.2. Someone else built it. I prefer
Debian or OpenBSD. I will add tripwire and chkroot kit to run as a cron
job.
The harddrives will be saved for further investigation at a later date.
Since the har
On Sun, 6 Jan 2002 04:08, Jason Lim wrote:
> From my experience, police like data untampered and in exactly the same
> form and such when the intrusion occurred. That means the exact same
> disks, not a tape backup or something. Sometimes backups can miss stuff,
> or as mentione previously, the bac
On Sun, 6 Jan 2002 04:08, Jason Lim wrote:
> From my experience, police like data untampered and in exactly the same
> form and such when the intrusion occurred. That means the exact same
> disks, not a tape backup or something. Sometimes backups can miss stuff,
> or as mentione previously, the ba
On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote:
> Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ )
> Interesting ports on dns1.mywork.edu :
> (The 1540 ports scanned but not shown below are in state: closed)
^^
You seem to have only scanned your well-known ports?
> Good point! Having never dealt with the fuzz after being compromised,
> I have to ask what you would do if your server is a file server with
> lots of big, expensive drives where a company might not be able to
> afford replacing them all? Would they be happy with backups (keeping
> in mind tha
On Sat, 5 Jan 2002, Jeremy L. Gaddis wrote:
> You dumbass. Everybody knows you don't try to fix a compromised
> machine. You take it in stride, wipe the drives and start all
> over from a clean install.
Would you mind terribly not airing your oh-so-superior views in public?
With such unbridled
hedore Knab
Sent: Saturday, January 05, 2002 1:43 AM
To: debian-isp@lists.debian.org
Subject: Re: BIND exploited ? -UPDATE
Thanks for your help.
This was not a debian box. Maybe the next one will be.
I think it was updated from an earilier version that was hacked.
I am under the assumption that
On Sat, Jan 05, 2002 at 01:43:24AM -0500, Thedore Knab wrote:
> Starting nmap V. 2.54BETA25 ( www.insecure.org/nmap/ )
> Interesting ports on dns1.mywork.edu :
> (The 1540 ports scanned but not shown below are in state: closed)
^^
You seem to have only scanned your well-known ports
> Good point! Having never dealt with the fuzz after being compromised,
> I have to ask what you would do if your server is a file server with
> lots of big, expensive drives where a company might not be able to
> afford replacing them all? Would they be happy with backups (keeping
> in mind th
On Sat, 5 Jan 2002, Jeremy L. Gaddis wrote:
> You dumbass. Everybody knows you don't try to fix a compromised
> machine. You take it in stride, wipe the drives and start all
> over from a clean install.
Would you mind terribly not airing your oh-so-superior views in public?
With such unbridled
> > I have to ask what you would do if your server is a file server with
> > lots of big, expensive drives where a company might not be able to
> > afford replacing them all? Would they be happy with backups (keeping
> > in mind that any tools used to backup the server might no longer be
> > trust
Of Thedore Knab
Sent: Saturday, January 05, 2002 1:43 AM
To: [EMAIL PROTECTED]
Subject: Re: BIND exploited ? -UPDATE
Thanks for your help.
This was not a debian box. Maybe the next one will be.
I think it was updated from an earilier version that was hacked.
I am under the assumption that this
> > I have to ask what you would do if your server is a file server with
> > lots of big, expensive drives where a company might not be able to
> > afford replacing them all? Would they be happy with backups (keeping
> > in mind that any tools used to backup the server might no longer be
> > trus
On Fri, 4 Jan 2002 19:43, Andy Bastien wrote:
> > > Is it really necessary to buy new hard drives? Is there a reason why
> > > he can't just reformat his current drives before reinstalling?
> >
> > Sure he can, if he wants to lose the evidence of what happened and lose
> > the possibility to hand
Thanks for your help.
This was not a debian box. Maybe the next one will be.
I think it was updated from an earilier version that was hacked.
I am under the assumption that this server was this way for over 1 year.
[EMAIL PROTECTED] chkrootkit-0.34]$ cat /etc/redhat-release
Red Hat Linux relea
> > Is it really necessary to buy new hard drives? Is there a reason why
> > he can't just reformat his current drives before reinstalling?
>
> Sure he can, if he wants to lose the evidence of what happened and lose
the
> possibility to hand the drives over to law enforcement officials (which
may
Andy Bastien wrote:
>
> Is it really necessary to buy new hard drives? Is there a reason why
> he can't just reformat his current drives before reinstalling?
>
One could simply reformat, but I'd strongly consider buying new drives
for several reasons:
1) Hard drives are one of the more fail
On Fri, 4 Jan 2002 19:43, Andy Bastien wrote:
> > > Is it really necessary to buy new hard drives? Is there a reason why
> > > he can't just reformat his current drives before reinstalling?
> >
> > Sure he can, if he wants to lose the evidence of what happened and lose
> > the possibility to hand
Thanks for your help.
This was not a debian box. Maybe the next one will be.
I think it was updated from an earilier version that was hacked.
I am under the assumption that this server was this way for over 1 year.
[ted@moe chkrootkit-0.34]$ cat /etc/redhat-release
Red Hat Linux release 6.2 (
Andy Bastien wrote:
>
> Is it really necessary to buy new hard drives? Is there a reason why
> he can't just reformat his current drives before reinstalling?
>
One could simply reformat, but I'd strongly consider buying new drives
for several reasons:
1) Hard drives are one of the more fai
> > Is it really necessary to buy new hard drives? Is there a reason why
> > he can't just reformat his current drives before reinstalling?
>
> Sure he can, if he wants to lose the evidence of what happened and lose
the
> possibility to hand the drives over to law enforcement officials (which
may
On Fri Jan 04, a day that will live in infamy, Russell Coker wrote:
> On Fri, 4 Jan 2002 17:54, Andy Bastien wrote:
> > On Fri Jan 04, a day that will live in infamy, Russell Coker wrote:
> > > On Fri, 4 Jan 2002 03:16, Thedore Knab wrote:
> > > > Where do I go from here ?
> > >
> > > Buy new hard
On Fri Jan 04, a day that will live in infamy, Russell Coker wrote:
> On Fri, 4 Jan 2002 17:54, Andy Bastien wrote:
> > On Fri Jan 04, a day that will live in infamy, Russell Coker wrote:
> > > On Fri, 4 Jan 2002 03:16, Thedore Knab wrote:
> > > > Where do I go from here ?
> > >
> > > Buy new har
On Fri, 4 Jan 2002 17:54, Andy Bastien wrote:
> On Fri Jan 04, a day that will live in infamy, Russell Coker wrote:
> > On Fri, 4 Jan 2002 03:16, Thedore Knab wrote:
> > > Where do I go from here ?
> >
> > Buy new hard drives, install them and install the latest version of your
> > favourite distr
On Fri, 4 Jan 2002 17:54, Andy Bastien wrote:
> On Fri Jan 04, a day that will live in infamy, Russell Coker wrote:
> > On Fri, 4 Jan 2002 03:16, Thedore Knab wrote:
> > > Where do I go from here ?
> >
> > Buy new hard drives, install them and install the latest version of your
> > favourite dist
On Fri Jan 04, a day that will live in infamy, Russell Coker wrote:
> On Fri, 4 Jan 2002 03:16, Thedore Knab wrote:
> > Where do I go from here ?
>
> Buy new hard drives, install them and install the latest version of your
> favourite distribution and configure it in a secure fashion. Make sure
On Fri, 4 Jan 2002 03:16, Thedore Knab wrote:
> Where do I go from here ?
Buy new hard drives, install them and install the latest version of your
favourite distribution and configure it in a secure fashion. Make sure that
all passwords are different.
Trying to remove root-kits etc might be f
On Fri Jan 04, a day that will live in infamy, Russell Coker wrote:
> On Fri, 4 Jan 2002 03:16, Thedore Knab wrote:
> > Where do I go from here ?
>
> Buy new hard drives, install them and install the latest version of your
> favourite distribution and configure it in a secure fashion. Make sur
On Fri, 4 Jan 2002 03:16, Thedore Knab wrote:
> Where do I go from here ?
Buy new hard drives, install them and install the latest version of your
favourite distribution and configure it in a secure fashion. Make sure that
all passwords are different.
Trying to remove root-kits etc might be
: "Thedore Knab" <[EMAIL PROTECTED]>
To:
Sent: Friday, January 04, 2002 10:16 AM
Subject: BIND exploited ?
> I recently inherited a machine that I think has been exploited.
>
> It seems to have a stupid root kit installed unless this is a decoy.
>
> What does it l
rooted by some script kiddies,perhaps..
rpc.statd or bind exploited,some say its better to reinstall the
box,personally i like diggin' :-))
first,disconnect,kick out all aliens,or save them somewhere,quarantined to
check them out later,
then,get some new packages on cds,or floppies or fro
I recently inherited a machine that I think has been exploited.
It seems to have a stupid root kit installed unless this is a decoy.
What does it look like to you professionals?
[EMAIL PROTECTED] ...]# uname -a
Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
unknown
[EMAIL PROTECTED]
: "Thedore Knab" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, January 04, 2002 10:16 AM
Subject: BIND exploited ?
> I recently inherited a machine that I think has been exploited.
>
> It seems to have a stupid root kit installed unless this is a
rooted by some script kiddies,perhaps..
rpc.statd or bind exploited,some say its better to reinstall the
box,personally i like diggin' :-))
first,disconnect,kick out all aliens,or save them somewhere,quarantined to
check them out later,
then,get some new packages on cds,or floppies or fro
I recently inherited a machine that I think has been exploited.
It seems to have a stupid root kit installed unless this is a decoy.
What does it look like to you professionals?
[root@moe ...]# uname -a
Linux moe. 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
unknown
[root@moe ...]# ps auxww
38 matches
Mail list logo