Re: Linux workstation got hacked!
From: Luke Vogel (luke@bell-bird.com.au)
Date: 12/11/02
- Next message: Security Alert: "SSRT2434 Security vulnerability with HP-UX Visualize Conference"
- Previous message: Et cetera: "Linux workstation got hacked!"
- In reply to: Et cetera: "Linux workstation got hacked!"
- Next in thread: John Oliver: "Re: Linux workstation got hacked!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Luke Vogel <luke@bell-bird.com.au> Date: Wed, 11 Dec 2002 18:38:19 +1000
Et cetera wrote:
> My Linux workstation has been hacked.
>
> Running redhat 5.2.
>
> Accidently noticed the /etc/passwd file modified, the last line
> changed to:
>
> r00t:x:0:0::/usr/sbin/r00t:/bin/bash
[snip]
> adore-0.14.tar.gz*
[snip]
> Files are modified or replaced all over the system! In /usr/bin, /bin,
> /etc,
> and elsewhere. Such as /usr/bin/pstree and /usr/bin/gaura and
[snip]
> How can the hacker or his source be identified?
> in/etc/ftpusers) FROM p50888FD6.dip.t-dialin.net [80.136.143.214],
> [1221]: failed login from lns08a-9-230.w.club-internet.fr
[snip]
Judging by the ease with which you discovered the files (including the
"adore" kernel module) I'd say that you are the victim of a SK (script
kiddie) and a reasonable poor one at that.
Those entries in your messages file indicate that your cracker "may"
have come from isp's in Germany and/or France, but there is a chance
that they were using another cracked box to get into yours.
Unless you can prove significant financial loss, there is probably
little to be gained by tracking the kids down. :(
> What's the best version of Redhat to install. Also what firewall
> should I run.
The best version of *any* distro is the version you keep up to date!
Iptables is my firewall of choice.
> This is really terrible. Any thoughts would be greatly appreciated.
No much to do but learn from the experience and make sure you keep your
software up to date and don't be running *any* unnecessary services.
The url in my sig will give you some good pointers.
-- Regards Luke ------ When I die, I want to die like my Grandmother who died peacefully in her sleep. Not screaming like all the passengers in her car. ------ C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html ------
- Next message: Security Alert: "SSRT2434 Security vulnerability with HP-UX Visualize Conference"
- Previous message: Et cetera: "Linux workstation got hacked!"
- In reply to: Et cetera: "Linux workstation got hacked!"
- Next in thread: John Oliver: "Re: Linux workstation got hacked!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
