- To: "Simon Bowden" <simonb@xxxxxxxxxxx>
- Subject: RE: [SLUG] Security Breach
- From: "Sean Carmody" <sean@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu Mar 1 18:38:02 2001
- Cc: <slug@xxxxxxxxxxx>
- Reply-to: <sean@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
> This occurred to me as well last night - I think around 3am. Similarly, it
> was discovered because the mail destination domain could not be found.
> However, I think this is because somewhere in teh process of getting in,
> they broke my local named (i wasnt working in the morning) - that or
> somewhere upstream someone hurt DNS - I was getting a lot of "Lame server
> errors". The email contained the output of ifconfig and the contents of
> /etc/passwd and /etc/shadow.
My local named seemed ok. Contents of my email exactly as you describe.
> The ISP I was on was Telstra bigpond - if its the same, maybe they were
> scanning that range of addresses.
I was on ihug.
> The other change I found was the following entry on the end of
> /etc/inetd.conf:
> 1008 stream tcp nowait root /bin/sh sh
>
> which you may want to check for and remove/comment.
That's in mine too! Now commented.
> I am thinking it could have been the BIND exploit coming active, but not
> sure (I havent upgraded yet, and my listen-on clause was broken -
> now fixed not to listen outside).
>
> The fact taht they edited /etc/inetd.conf and cat-d shadow indicates root
> priveleges. However, there doesnt seem to be any evidence of things inside
> or other changes, so possibly a buffer of exploit type deal?
>
> I run RH6.2 btw :)
So do I.
> The only services i had running out of inetd were ftp, telnet and auth
> (first 2 are shut down until i get home to tighten things) - not portmap.
>
> Makes you wonder if one should send an edited email with prepared IP and
> ready a box to trace what happens :)
Was your email also addressed to 1i0nip@xxxxxxxxx?
SLUG Mailing List Archives