dtspcd compromises
From: Russell Fulton (R.FULTON@auckland.ac.nz)Date: 01/21/02
- Previous message: John Bland: "Odd connection attempts from many addresses"
- Next in thread: Russell Fulton: "RE: dtspcd compromises"
- Reply: Russell Fulton: "RE: dtspcd compromises"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Russell Fulton <R.FULTON@auckland.ac.nz> To: incidents@securityfocus.com Date: 21 Jan 2002 20:26:34 +1300
Just an FYI:
Early this morning (0220 local time, Monday) we had a couple of SUN
machines compromised via dtspcd. The exploit started a second copy of
inetd with a configuration file /tmp/x which bound a root shell on 1524
(ingresslock).
Later in the morning (0800) one of the machines started a synflood
attack on another machine on our network. This combined with the fact
that the attack originated from a local ISP strongly suggests this is
the work of some of our students, sigh...
No root kit was installed and no other back doors found, we are
reinstalling anyway, of course...
The snort rules in the experimental rules file picked up the attack.
-- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: John Bland: "Odd connection attempts from many addresses"
- Next in thread: Russell Fulton: "RE: dtspcd compromises"
- Reply: Russell Fulton: "RE: dtspcd compromises"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
