Re: hpd, afb, sc, and sn

• Previous message: Ron Gedye: "Compromised System RH7.3-ICMP-STP-DoS"
• In reply to: Gordon Chamberlin: "hpd, afb, sc, and sn"
• Next in thread: Greg Barnes: "Re: hpd, afb, sc, and sn"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 21 Dec 2002 11:53:33 +0100
From: gminick <gminick@underground.org.pl>
To: incidents@securityfocus.com

On Fri, Dec 20, 2002 at 02:11:31PM -0700, Gordon Chamberlin wrote:
> I found suspicious looking files on a Redhat 7.1 Linux server earlier
> today. Can anyone confirm or deny that the machine has been hacked?
Yes, you've been cracked, but it's hard to say what toolkit was
used since I've never heard of any that's using binaries such as
afb, sn or sc. Can you provide these files to us (put it on
WWW or sth like that) ?

> namp reports the following ports open:
> Port State Service
> 5/tcp open rje
[...]
> 8009/tcp open ajp13

> Anyone know about this hack, what afb does and/or how they usually get
> in?
It's important to determine what services you've been providing
before attack. From nmap's output we can say that vulnerabilities
(for example) in sunrpc or your ssh server or DNS server were used
to get in.

-- 
[ ] gminick (at) underground.org.pl  http://gminick.linuxsecurity.pl/ [ ]
[ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Greg Barnes: "Re: hpd, afb, sc, and sn"
• Previous message: Ron Gedye: "Compromised System RH7.3-ICMP-STP-DoS"
• In reply to: Gordon Chamberlin: "hpd, afb, sc, and sn"
• Next in thread: Greg Barnes: "Re: hpd, afb, sc, and sn"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]