[MLUG] how did they break in?

Email address obfuscation in effect -- please click here to turn it off.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: MLUG membership <EMAIL:PROTECTED>
Subject: [MLUG] how did they break in?
From: Mike Miller <EMAIL:PROTECTED>
Date: Tue, 8 May 2001 15:10:23 -0500 (CDT)
Reply-To: EMAIL:PROTECTED
Sender: EMAIL:PROTECTED

Someone has achieved access as daemon on one of my machines.  They created
executable binary files /tmp/.X and /var/tmp/.X and a script /tmp/run and
netstat -a indicates that they access the machine through ingreslock (port
1524).  How do I get rid of them and how do I stop them from just coming
back again?  Mostly, I want to know what they did to get in so that I can
prevent it from happening again.

It looks like they would like to run /tmp/run (see below) because it would
probably give them root access, but they can't do it (yet).  Obviously,
I'll delete their files and I'll kill their processes, but why wouldn't
they just come straight back and do it again?

Any help greatly appreciated!

Mike


--------------------------------------------------------------------------
# cat /tmp/run

echo './run:cannote execute'
chown root:sys /var/tmp/.X
rm -f /tmp/run
--------------------------------------------------------------------------

This is what the file permissions are like now.  The two files are
identical:

-r-xr-xr-x   1 daemon   other     359176 May  5 13:37 /tmp/.X*
-r-sr-sr-x   1 daemon   other     359176 May  5 13:44 /var/tmp/.X*

--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/

Prev by Date: RE: [MLUG] 801.11 wireless card question
Next by Date: RE: [MLUG] how did they break in?
Previous by thread: RE: [MLUG] MU 212 subnet
Next by thread: RE: [MLUG] how did they break in?
Index(es):
- Date
- Thread