[lug] Cracked system
chip at rmpg.org
Fri Sep 1 18:18:04 MDT 2000
I discovered that a machine in my charge has been totally cracked. I
believe that they went in via some exploit in bind. There is a bind RPM
in the cracker's working directory of bind-8_2_2_P3-1_i386.rpm.
The root kit that they installed only replaced /bin/login and /bin/ps, but
installed all kinds of things for remote denial of service and other
things. There was also a process called shell965, which was being
screened out by the ps.
To see if you have this problem, check for
These are the original ps and login that were wrapped by the new ps and
More information about the LUG