Compromised RH6.1 system

Jerry Feldman gaf at blu.org
Sat Apr 22 16:10:01 EDT 2000 

SuSE has had this posted this on their web site for some time. 
http://www.suse.de/de/support/security/suse_security_announce_28.txt

Derek Martin wrote:

> This was apparently achieved by exploiting a bug in BIND 8.2, about which
> CERT has released an advisory:
> 
>   http://www.cert.org/advisories/CA-99-14-bind.html
> 
> If you are running RH6.1 or any system with a BIND 8.2 version, make sure
> you get the update packages or get the latest version from ISC.
> 
> The attack was apparently done with a script, and does a rather nice job
> at leaving little evidence other than the obvious root shell.  If this
> were done by hand by a knowledgeable attacker, it would have been
> extremely easy for them to eliminate all traces of the attack, other than
> leaving behind a /bin/login program that didn't have the same size and
> checksum of the original one. A talented attacker could even get around
> that one.
> 
> I noticed this attack because I could not retrieve my mail from the
> machine, and then saw that it had been rebooted.  I was able to find out
> where the attack came from because I do a LOT of packet logging via
> ipchains, and the assailant made no effort to look for that.  The machine
> the attack came from was also a RH6.1 system, so in all likelyhood it was
> also attacked in the same manner.
> 
> The bottom line is I only noticed the system had been compromised because
> this was done by a script-kiddie.  Had this been done by someone with a
> clue, I'd never have noticed.
> 
> I'm going to start running an IDS and log to a different machine, and I'd
> recommend that if you have a Linux box connected to the internet that you
> do the same. But above all, go get your BIND up to date.
> 
> -- 
> PGP/GPG Public key at http://cerberus.ne.mediaone.net/~derek/pubkey.txt
> ------------------------------------------------------
> Derek D. Martin      |  Unix/Linux Geek
> derekm at mediaone.net  |  derek at cerberus.ne.mediaone.net
> ------------------------------------------------------
> 
> -
> Subcription/unsubscription/info requests: send e-mail with
> "subscribe", "unsubscribe", or "info" on the first line of the
> message body to discuss-request at blu.org (Subject line is ignored).
> 

-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix user group
http://www.blu.org


-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).

More information about the Discuss mailing list