Re: Visited by a cracker

From: Mike Zupan (mzupan_at_meso.com)
Date: 07/12/04

  • Next message: Eric Paynter: "Re: Visited by a cracker"
    To: focus-linux@securityfocus.com
    Date: Mon, 12 Jul 2004 08:22:13 -0400
    
    

    I just ran the first two against a fully patched RH9 system with no luck.
    ptrace kept running in memory. The other is also the kernel exploit which has
    been patched by every distro out there

    [wind@wind0 wind]$ chmod +x egx
    [wind@wind0 wind]$ ./egx
    [-] Unable to change page protection: Cannot allocate memory
    [-] Unable to exit, entering neverending loop.

    [1]+ Stopped ./egx
    [wind@wind0 wind]$
    [wind@wind0 wind]$ uname -r
    2.4.20-30.9smp

    Mike

    On Sunday 11 July 2004 10:45, Per Christian B. Viken wrote:
    > Hello
    >
    > I've had a rather disturbing evening.
    > A friend of mine runs a small server for himself and some friends. It's
    > running slackware 10.
    > When I logged in, I noticed that the load was way over what's normal
    > (around 1.36 now, usually it's under 0.10), so I run 'top'. I see a program
    > called 'strace' running, hogging all the cpu power.
    >
    > So I get curious. I chdir to the users home, and looks around. It's empty.
    > But, the 'smart' little cracker has forgotten about .bash_history, so here
    > I can see everything that he has been doing.
    > Aparently, he has downloaded and setup an eggdrop, removed it again, and
    > then downloaded a psybnc, which he also removed shortly. Then things get
    > interesting.
    >
    > <SNIP>


  • Next message: Eric Paynter: "Re: Visited by a cracker"