On Mon, 11 Sep 2000, wYRd wrote:
> Looking over a clients system I found the following
> line in inetd.con:
> 9704 stream tcp nowait root /bin/sh sh -i
Yep, that's an unashamed hack. This is your average "I'm too stupid to
_hide_ the back door, so I'll hope that no one looks" script kiddie
signature.
I suggest you :
netstat -avnp | grep LISTEN
to determine what services are open to the outside world. Determine what
version of each service you're running, and look around for
exploits. That might help you determine how the attacker gained
access. This information is usefull, because you can then check other
machines on the same network for that service, and find out whether you
need to check more machines for compromises (you may want to check
regardless of what you find on the known compromised machine).
Once you've examined the system, format it clean and re-install
everything. Don't run unneeded services, and carefully evaluate the
usefulness of those you think you need.
MSG
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
