[ale] I can't seem to plug up all the security holes in my box...

hirsch at zapmedia.com hirsch at zapmedia.com
Wed Jun 21 09:33:03 EDT 2000


>>>>> "Jim" == Jim Kinney <jkinney at teller.physics.emory.edu> writes:

    Jim> You've got problems!  Start by dropping to single-user mode
    Jim> and from a known good source replace every binary that
    Jim> touches any aspect of networking, login and logging.  Make
    Jim> sure you are using shadow passwords. You also need to do a
    Jim> serity scan for cgi scripts with holes. That is hard
    Jim> work. Try ussing nessus from another machine to probe your
    Jim> system after you bring it back to multiuser mode.

And then change all the passwords.  Lots of root kits put in some sort
of trojaned login command.  That may well be how this guy has broken
in.  He got in once and installed the trojan.  From then on he can
login as anyone who has logged in since.

The time I was cracked I got lucky.  The cracker troganed login, but
the trojan stored the user/password file locally.  I guess the plan
was to come back later and get them, but I got there first.

Best of luck,

-- 
------------------------
Michael D. Hirsch, Ph.D.
Software Developer
zapmedia.com

Phone: 678-420-2722                FAX: 678-420-2839
email: michael.hirsch at zapmedia.com Web: http://www.zapmedia.com
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list