Thorton,
Okay, that confirms the problem. Now how to recover (short of
reinstallation)? Had anybody every recovered from such an incident?
Rilindo Foster
-----Original Message-----
From: Thornton Prime [mailto:[EMAIL PROTECTED]]
Sent: Saturday, March 03, 2001 7:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Wierd password problem - root linked to user login.
On Sat, 3 Mar 2001, Rilindo Foster wrote:
> Feb 27 22:35:35 redhserver rpc.statd[360]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8049710 8052c28687
...
> Feb 27 22:38:20 redhserver adduser[3642]: new user: name=sql, uid=0,
gid=0,
> home=/bin, shell=/bin/bash
DANGER, DANGER WILL ROBINSON!
That definitely looks like you've been hacked.
rpc.statd is one of those notorious security holes. There are updates
fixing all the known exploits, but I'm guessing this was done before you
had a chance to install them.
The next part shows someone adding a user account 'sql' with the same uid
as root. Basically, it is a backdoor account and has no legitimate
purpose.
thornton
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
