hi ya giacomo..
On Thu, 22 Nov 2001, Giacomo Mulas wrote:
> On Thu, 22 Nov 2001, Alvin Oga wrote:
>
> > they tried.... doesn't mean they got in
>
> you are correct so far, but if you read later on, the original poster
> adds:
>
> > I had a number of rejected packets to port 137 immediately before, nmbd
> > crashed and the lprng exploit started.
>
> If at least one daemon was crashed, the attack may have been successful,
> so he has every reason to be cautious.
yup .... but, i'd move the samba server to be internal.. and not
externally visible....
- no reason for samba servers to be externally visible
samba ( nmbd/smbd could die for many different reasons )
without knowing the state of the fs before the attack... its a little
harder to find what's different...
- ie.. run tripwire, checksums, aide, etc
- when checking a possibly infected host, am assuming one uses the binary
off of a cdrom instead of the (trojaned) machine itself to check its
binary... which usually returns all okay..even if its not
fun stuff... to go checking ...
not fun to have to rebuild a new box and very carefully restore data
have fun linux
alvin
