[lug] Fun with being hacked

Warren Sanders sanders at MontanaLinux.Org
Tue Aug 14 10:02:01 MDT 2001

ps waux

but sometimes that wont show rootkits as they may replase 'ps' to hide
themselves. :/

On Tue, 14 Aug 2001, HEROLD wrote:

> Date: Tue, 14 Aug 2001 09:55:00 -0600 (MDT)
> From: HEROLD <herold at cslr.Colorado.EDU>
> Reply-To: lug at lug.boulder.co.us
> To: lug at lug.boulder.co.us
> Subject: [lug] Fun with being hacked
> So, I noticed an interesting message in my messages file this morning:
> Aug 12 04:43:14 pharynx sshd2[812]: connection from ""
> Aug 12 04:43:20 pharynx sshd2[11628]: User gdm's local password accepted.
> Aug 12 04:43:20 pharynx sshd2[11628]: Password authentication for user gdm
> accepted.
> Aug 12 04:43:20 pharynx sshd2[11628]: User gdm, coming from
> s161-184-79-143.ab.hsia.telus.net, authenticated.
> Apparently this has been happening since around the 28th of July.
> I also found a package called "autotelnet" installed in
> /tmp/.../autotelnet, which is a hack designed to break into telnetd using
> a buffer overflow (gives root shell of course).
> Of course, my next actions will be to reformat and reinstall RH7.1, and,
> once again, apply every RPM in existence.  The problem is that I am not
> running telnetd, and in fact turned off all the services except sshd
> (openssh). I
> did a check on the telnet port and had the connection refused.  It seems
> to me that the autotelnet was installed afterwards, to probe and attack
> other machines.  I do not, however, have any idea of how they got in in
> the first place.
> Does gdm normally have a passwd?  there is a gdm listed in the user
> accounts, but I thought that was just so gnome could do it's thing?
> Should I password it next time?
> In general, since RH7.1 does not install the xwindows linuxconf, what's
> a quick way to find out what services are running on a machine?
> Thanks,
> Keith
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

Warren Sanders

More information about the LUG mailing list