You do have all of the latest patches installed and are running the current kernel, right? Some investigation of the files the users installed and the commands they ran if we're lucky (some of these people forget to clear .bash_history) would be very helpful, 'cause it sounds like we've got an unpatched exploit....
I use Fedora Core 3, and I installed all the updated rpm's. I use a kernel 2.6.12-rc3-RT-V0.7.46-02 (Ingo Molnar's patch)
On Wed, Apr 27, 2005 at 03:02:41PM +0200, Daniel Kirsten wrote:
I use Fedora Core 3, and I installed all the updated rpm's. I use a kernel 2.6.12-rc3-RT-V0.7.46-02 (Ingo Molnar's patch)
Were there any interesting files in the users' home directories? (Look for hidden files too, of course -- maybe a hidden directory named ... or something.) Also check in /tmp and /var. And any luck with the .bash_history? (For both the users and for root....)
Matthew Miller wrote:
Were there any interesting files in the users' home directories? (Look for hidden files too, of course -- maybe a hidden directory named ... or something.) Also check in /tmp and /var. And any luck with the .bash_history? (For both the users and for root....)
I have installed and use this stuff, http://www.rootkit.nl/, but it has never found any vulnerabilities (which probably does mean anything...)
/Håkan
On Wed, Apr 27, 2005 at 03:20:08PM +0200, Håkan Persson wrote:
Were there any interesting files in the users' home directories? (Look for hidden files too, of course -- maybe a hidden directory named ... or something.) Also check in /tmp and /var. And any luck with the .bash_history? (For both the users and for root....)
I have installed and use this stuff, http://www.rootkit.nl/, but it has never found any vulnerabilities (which probably does mean anything...)
Clearly the people who broke into this system found something. I'm interested to learn _what_.
----- Original Message ----- From: "Matthew Miller" mattdm@mattdm.org To: "For users of Fedora Core releases" fedora-list@redhat.com Sent: Wednesday, April 27, 2005 8:07 AM Subject: Re: brute force ssh attack
On Wed, Apr 27, 2005 at 03:02:41PM +0200, Daniel Kirsten wrote:
I use Fedora Core 3, and I installed all the updated rpm's. I use a kernel 2.6.12-rc3-RT-V0.7.46-02 (Ingo Molnar's patch)
Were there any interesting files in the users' home directories? (Look for hidden files too, of course -- maybe a hidden directory named ... or something.) Also check in /tmp and /var. And any luck with the .bash_history? (For both the users and for root....)
Especially /var/tmp - that's a common place for rootkits to live.
On 4/27/05, Thomas Cameron thomas.cameron@camerontech.com wrote:
something.) Also check in /tmp and /var. And any luck with the .bash_history? (For both the users and for root....)
Especially /var/tmp - that's a common place for rootkits to live.
a doubt here ,
i checked /tmp and found
srwxrwxrwx 1 wnn wnn 0 Apr 27 22:30 jd_sockV4 why does this file (socket) have different owner and user, while all others have either root or userabc.
drwxrwxrwt 2 xfs xfs 4096 Apr 29 22:30 .font-unix this hidden file also has different permission and different owner and user, while others have either root or userabc.
xfs and wnn ? are not users created by me so where did they come from ?
Can someone please clear this silly doubt.
On 4/29/05, M.Rudra dr.rudra@gmail.com wrote:
On 4/27/05, Thomas Cameron thomas.cameron@camerontech.com wrote:
something.) Also check in /tmp and /var. And any luck with the .bash_history? (For both the users and for root....)
Especially /var/tmp - that's a common place for rootkits to live.
a doubt here ,
i checked /tmp and found
srwxrwxrwx 1 wnn wnn 0 Apr 27 22:30 jd_sockV4 why does this file (socket) have different owner and user, while all others have either root or userabc.
drwxrwxrwt 2 xfs xfs 4096 Apr 29 22:30 .font-unix this hidden file also has different permission and different owner and user, while others have either root or userabc.
xfs and wnn ? are not users created by me so where did they come from ?
xfs is the font server, do not know whay wnn is. Check /etc/passwd for the list of users for the system.
N.Emile...
On Fri, 29 Apr 2005 17:27:58 -0400 "M.Rudra" dr.rudra@gmail.com wrote
On 4/27/05, Thomas Cameron thomas.cameron@camerontech.com wrote:
something.) Also check in /tmp and /var. And any luck with the .bash_history? (For both the users and for root....)
Especially /var/tmp - that's a common place for rootkits to live.
a doubt here ,
i checked /tmp and found
srwxrwxrwx 1 wnn wnn 0 Apr 27 22:30 jd_sockV4 why does this file (socket) have different owner and user, while all others have either root or userabc.
wnn is your input method's user. (That's the software that allows you to type in non-Latin script with more characters than fit on the keyboard.)
[...]
-- Joel Rees rees@ddcom.co.jp digitcom, inc. 株式会社デジコム Kobe, Japan +81-78-672-8800 ** http://www.ddcom.co.jp **
-
Daniel Kirsten -
Håkan Persson -
Joel -
M.Rudra -
Matthew Miller -
ne... -
thomas cameron