[40848] in North American Network Operators' Group
RE: resolved Re: should i publish a list of cracked machines?
daemon@ATHENA.MIT.EDU (Roeland Meyer)
Thu Aug 23 13:33:22 2001
Message-ID: <EA9368A5B1010140ADBF534E4D32C728069E28@condor.mhsc.com>
From: Roeland Meyer <rmeyer@mhsc.com>
To: 'Jim Mercer' <jim@reptiles.org>, nanog@merit.edu
Date: Thu, 23 Aug 2001 10:32:59 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Errors-To: owner-nanog-outgoing@merit.edu
|> From: Jim Mercer [mailto:jim@reptiles.org]
|> Sent: Thursday, August 23, 2001 9:39 AM
|> my suspicions and some things to look for:
|>
|> - boxes were comprimised using the buffer overflow in
|> telnetd (speculation)
|> - my box had a bogus /usr/sbin/nscd (which is not a normal
|> FreeBSD binary)
|> - nscd appears to be a hacked sshd, listening on a 14000 series port
|> - it had its own /etc/ssh_* config files (FreeBSD puts them
|> in /etc/ssh/ssh_*)
|> - there was a file in /dev/ptaz which appeared to be DES crypto gunge
|> - there were a bunch of irc/eggdrop related files in a ".e"
|> directory of
|> one of the user's $HOME
|>
|> suggestions for looking about:
|>
|> - do an ls -lta in bindirs, my systems generally have all
|> /bin /usr/bin files
|> with the same timestamp
|>
|> - do a "du /dev" and look for anomalies
|> - do a "cd /dev ; ls -l | grep -e-" and look for anomalies
|> - do a "ls -ltra /" (as well as /usr and /usr/local) and
|> look for anomalies
Shorter answer ... run tripwire.
