Security Incidents mailing list archives

Re: Compromised...


From: felix () BROADBAND HU (Marianovich Felix)
Date: Tue, 8 Feb 2000 09:12:27 +0100


Hello Steve!

This morning I tried to ssh to a domain I host on one of my boxes.  I soon
realized the domain wasn't resolving.  I then ssh'd to the ip of the box.
I discovered that named wasn't running.  I restarted it.  I was curious to
find out why it had died.  I started looking through the logs and I soon
realized my machine had been broken into. Several binaries had been
replaced.  (ps, ls, netstat, ...).  I replaced the ps and ls and found
some interesting things.  There was a process running called in,telnetd
(notice the comma).  I found this in "/usr/ /":
It sounds interesting.... Once I was same thing....  Why stopped your named?
At my attack it was stopped too, because the hacker wanted to start named
on wrong way... What is the version number of your BIND?

Has anyone else experienced this?  How did they get in?  At this point I'm
pretty sure it was through named.  How should I go about cleaning it up?
Right now I think I'll just reinstall the RPM's off of the cd.  Will this
be enough (along with upgrading BIND)?  If anyone could share any useful
information please do so.
Do You have imap, or any older version of pop3? At my attack was through
imap.

Bye,
Felix Marianovich.


Current thread: