 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
I've posted numerous messages about this on GNHLUG, but not here on BLU, so I figured I'd offer a brief summary. This past Friday, my RH6.1 machine was compromised. /bin/login was replaced with a version that allowed anyone to log in as root with no password, and telnet (which I normally don't allow at all) was re-enabled. This was apparently achieved by exploiting a bug in BIND 8.2, about which CERT has released an advisory: http://www.cert.org/advisories/CA-99-14-bind.html If you are running RH6.1 or any system with a BIND 8.2 version, make sure you get the update packages or get the latest version from ISC. The attack was apparently done with a script, and does a rather nice job at leaving little evidence other than the obvious root shell. If this were done by hand by a knowledgeable attacker, it would have been extremely easy for them to eliminate all traces of the attack, other than leaving behind a /bin/login program that didn't have the same size and checksum of the original one. A talented attacker could even get around that one. I noticed this attack because I could not retrieve my mail from the machine, and then saw that it had been rebooted. I was able to find out where the attack came from because I do a LOT of packet logging via ipchains, and the assailant made no effort to look for that. The machine the attack came from was also a RH6.1 system, so in all likelyhood it was also attacked in the same manner. The bottom line is I only noticed the system had been compromised because this was done by a script-kiddie. Had this been done by someone with a clue, I'd never have noticed. I'm going to start running an IDS and log to a different machine, and I'd recommend that if you have a Linux box connected to the internet that you do the same. But above all, go get your BIND up to date. -- PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt ------------------------------------------------------ Derek D. Martin | Unix/Linux Geek derekm at mediaone.net | derek at cerberus.ne.mediaone.net ------------------------------------------------------ - Subcription/unsubscription/info requests: send e-mail with "subscribe", "unsubscribe", or "info" on the first line of the message body to discuss-request at blu.org (Subject line is ignored).
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
