resolved Re: should i publish a list of cracked machines?

• Previous message (by thread): resolved Re: should i publish a list of cracked machines?
• Next message (by thread): resolved Re: should i publish a list of cracked machines?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

|> From: Jim Mercer [mailto:jim at reptiles.org]
|> Sent: Thursday, August 23, 2001 9:39 AM

|> my suspicions and some things to look for:
|> 
|> - boxes were comprimised using the buffer overflow in 
|> telnetd (speculation)
|> - my box had a bogus /usr/sbin/nscd (which is not a normal 
|> FreeBSD binary)
|> - nscd appears to be a hacked sshd, listening on a 14000 series port
|> - it had its own /etc/ssh_* config files (FreeBSD puts them 
|> in /etc/ssh/ssh_*)
|> - there was a file in /dev/ptaz which appeared to be DES crypto gunge
|> - there were a bunch of irc/eggdrop related files in a ".e" 
|> directory of
|>     one of the user's $HOME
|> 
|> suggestions for looking about:
|> 
|> - do an ls -lta in bindirs, my systems generally have all 
|> /bin /usr/bin files
|>     with the same timestamp
|> 
|> - do a "du /dev" and look for anomalies
|> - do a "cd /dev ; ls -l | grep -e-" and look for anomalies
|> - do a "ls -ltra /" (as well as /usr and /usr/local) and 
|> look for anomalies

Shorter answer ... run tripwire.

• Previous message (by thread): resolved Re: should i publish a list of cracked machines?
• Next message (by thread): resolved Re: should i publish a list of cracked machines?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]