RE: [MLUG] how did they break in?

["Deterding, Brent D" <EMAIL:PROTECTED>]

How about unplugging it from the network, dd'ing a copy of the drive,
and analyzing that with the "The Coroners Toolkit" ? A tripwire DB?
Installed from RPM's? This will give you the best chance of actually
learning anything instead of just fixing it. Make sure they don't get in
again . . . cya!

-- Brent

-----Original Message-----
From: Mike Miller [mailto:EMAIL:PROTECTED]
Sent: Tuesday, May 08, 2001 3:10 PM
To: MLUG membership
Subject: [MLUG] how did they break in?


Someone has achieved access as daemon on one of my machines.  They
created
executable binary files /tmp/.X and /var/tmp/.X and a script /tmp/run
and
netstat -a indicates that they access the machine through ingreslock
(port
1524).  How do I get rid of them and how do I stop them from just coming
back again?  Mostly, I want to know what they did to get in so that I
can
prevent it from happening again.

It looks like they would like to run /tmp/run (see below) because it
would
probably give them root access, but they can't do it (yet).  Obviously,
I'll delete their files and I'll kill their processes, but why wouldn't
they just come straight back and do it again?

Any help greatly appreciated!

Mike


------------------------------------------------------------------------
--
# cat /tmp/run

echo './run:cannote execute'
chown root:sys /var/tmp/.X
rm -f /tmp/run
------------------------------------------------------------------------
--

This is what the file permissions are like now.  The two files are
identical:

-r-xr-xr-x   1 daemon   other     359176 May  5 13:37 /tmp/.X*
-r-sr-sr-x   1 daemon   other     359176 May  5 13:44 /var/tmp/.X*

--
To manage your subscription, go to
http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/
--
To manage your subscription, go to http://mlug.missouri.edu/members/edit.php

Archives are available at http://mlug.missouri.edu/list-archives/