Hello
I originally started writing this becasue I wanted to know if my ethernet
card could put itself into promiscuous mode (even though I was pretty
sure of the answer), but its now more of a log of my search through the
system..
My colleague came in last night to find that our network was being
flooded. On further investigation he traced it to my server and pulled the
patch cable from the wall. I checked the logs this morning and found the
following..
Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Mar 22 17:11:24 jenner kernel: imp uses obsolete (PF_INET,SOCK_PACKET)
Mar 22 17:11:24 jenner kernel: eth0: Setting promiscuous mode.
Mar 22 17:11:24 jenner kernel: device eth0 entered promiscuous mode
Security Violations
=-=-=-=-=-=-=-=-=-=
Mar 22 18:12:48 jenner login: FAILED LOGIN 1 FROM (null) FOR , User not
known to the underlying authentication module
Mar 22 18:12:48 jenner login: FAILED LOGIN 2 FROM (null) FOR , User not
known to the underlying authentication module
Mar 22 18:13:11 jenner login: FAILED LOGIN 3 FROM (null) FOR , User not
known to the underlying authentication module
Mar 22 18:13:11 jenner login: FAILED LOGIN SESSION FROM (null) FOR , User
not known to the underlying authentication module
So i ran tripwire and found a reference to "imp".
/dev/sda69/. /t00ls/imp
st_ino: 42968 42937
---> File: '/dev/sda69/.\040/t00ls/imp'
---> Update entry? [YN(y)nh?]
So i went to /dev/sda69/. /t00ls which I'm pretty sure shouldn't be
there?? it had other files in it such as
check fin.secure hell imp orgasm secure
ssynk4 udp.l check.c foo hunt.tar linsmaq
phonix slice stealth duy getcast iffit.tar
milk psmurf sm thc
A quick look in check.c revealed
printf("\n .:( cr0n v1.0 ):. by c0de red ");
printf("\n The best vulnerability scanner ");
I don't think there's much point going any further.. I guess a full
re-install is the only way to fix it.
Regards
Todd
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
