Security Incidents mailing list archives

Re: Compromised...


From: scut () NB IN-BERLIN DE (Sebastian)
Date: Tue, 8 Feb 2000 11:30:28 +0100


On Mon, Feb 07, 2000 at 12:30:02PM -0600, Steve Logan wrote:

This morning I tried to ssh to a domain I host on one of my boxes.  I soon
realized the domain wasn't resolving.  I then ssh'd to the ip of the box.
I discovered that named wasn't running.  I restarted it.  I was curious to
find out why it had died.  I started looking through the logs and I soon
realized my machine had been broken into. Several binaries had been
replaced.  (ps, ls, netstat, ...).  I replaced the ps and ls and found
some interesting things.  There was a process running called in,telnetd
(notice the comma).  I found this in "/usr/ /":

After running strings on these files it appears they are a shell program
and password files.  The in,telnetd is logging all network traffic to
sniff.log.  All of the log files had been modified.  History was modified.
wtmp was modified.  inetd.conf was changed.  Several other things were
also changed.  There was a directory called ADMROCKS in /var/named.

Most likely a scripted break in through the use of adm's t666 NXT exploit.
The public exploit is not fool-proof, so it might be easy to detect, also
the attackers didn't restarted named, most likely they don't have experience
in what they doing or they ran into other problems.
I know of one other exploit for the NXT vulnerability, which works a bit
better against Linux and BSD systems and is more easily integrateable into
scripts and such.

Has anyone else experienced this?  How did they get in?  At this point I'm
pretty sure it was through named.  How should I go about cleaning it up?
Right now I think I'll just reinstall the RPM's off of the cd.  Will this
be enough (along with upgrading BIND)?  If anyone could share any useful
information please do so.

BIND NXT 8.2[.1] vulnerability, there is even a CERT advisory about it.

Thanks,
Steve Logan

ciao,
scut / teso

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet   --
-- you don't need a lot of people to be great, you need a few great to be  --
-- the best ------------------------------------------------------------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
--- aquired Talon operating system source, awaiting orders, hi echelon -------



Current thread: