[lug] Cracked system

Chip Atkinson chip at rmpg.org
Fri Sep 1 18:18:04 MDT 2000


I discovered that a machine in my charge has been totally cracked.  I
believe that they went in via some exploit in bind.  There is a bind RPM
in the cracker's working directory of bind-8_2_2_P3-1_i386.rpm.

The root kit that they installed only replaced /bin/login and /bin/ps, but
installed all kinds of things for remote denial of service and other
things.  There was also a process called shell965, which was being
screened out by the ps.  

To see if you have this problem, check for 
/usr/bin/h2so4 and

These are the original ps and login that were wrapped by the new ps and
login scripts.


More information about the LUG mailing list