BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Compromised RH6.1 system

Subject: Compromised RH6.1 system
From: gaf at blu.org (Jerry Feldman)
Date: Sat, 22 Apr 2000 16:10:01 -0400
In-reply-to: Your message of "Sat, 22 Apr 2000 15:49:22 EDT." <Pine.LNX.4.10.10004221528160.953-100000@sol.netria.com>

SuSE has had this posted this on their web site for some time. 
http://www.suse.de/de/support/security/suse_security_announce_28.txt

Derek Martin wrote:

> This was apparently achieved by exploiting a bug in BIND 8.2, about which
> CERT has released an advisory:
> 
>   http://www.cert.org/advisories/CA-99-14-bind.html
> 
> If you are running RH6.1 or any system with a BIND 8.2 version, make sure
> you get the update packages or get the latest version from ISC.
> 
> The attack was apparently done with a script, and does a rather nice job
> at leaving little evidence other than the obvious root shell.  If this
> were done by hand by a knowledgeable attacker, it would have been
> extremely easy for them to eliminate all traces of the attack, other than
> leaving behind a /bin/login program that didn't have the same size and
> checksum of the original one. A talented attacker could even get around
> that one.
> 
> I noticed this attack because I could not retrieve my mail from the
> machine, and then saw that it had been rebooted.  I was able to find out
> where the attack came from because I do a LOT of packet logging via
> ipchains, and the assailant made no effort to look for that.  The machine
> the attack came from was also a RH6.1 system, so in all likelyhood it was
> also attacked in the same manner.
> 
> The bottom line is I only noticed the system had been compromised because
> this was done by a script-kiddie.  Had this been done by someone with a
> clue, I'd never have noticed.
> 
> I'm going to start running an IDS and log to a different machine, and I'd
> recommend that if you have a Linux box connected to the internet that you
> do the same. But above all, go get your BIND up to date.
> 
> -- 
> PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
> ------------------------------------------------------
> Derek D. Martin      |  Unix/Linux Geek
> derekm at mediaone.net  |  derek at cerberus.ne.mediaone.net
> ------------------------------------------------------
> 
> -
> Subcription/unsubscription/info requests: send e-mail with
> "subscribe", "unsubscribe", or "info" on the first line of the
> message body to discuss-request at blu.org (Subject line is ignored).
> 

-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix user group
http://www.blu.org


-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).

References:
- Compromised RH6.1 system
  - From: derek at cerberus.ne.mediaone.net (Derek Martin)

Prev by Date: Compromised RH6.1 system
Next by Date: Slackware guest on VMWare??
Previous by thread: Compromised RH6.1 system
Next by thread: Compromised RH6.1 system
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org