[lug] Fun with being hacked

George Sexton gsexton at mhsoftware.com
Tue Aug 14 10:22:58 MDT 2001

Just out of curiosity, what is the UID on the GDM account in the password
file. On my RedHat install, its 42. Is it 0 now in yours?

Also, I noticed on my system that the GDM account has a valid shell. I
looked at the RedHat RPM and it looks like when the GDM entry is created, it
doesn't specify a shell. This is probably a defect. It should have
/bin/false like the other system accounts.

-----Original Message-----
From: lug-admin at lug.boulder.co.us [mailto:lug-admin at lug.boulder.co.us]On
Behalf Of HEROLD
Sent: 14 August, 2001 9:55 AM
To: lug at lug.boulder.co.us
Subject: [lug] Fun with being hacked

So, I noticed an interesting message in my messages file this morning:

Aug 12 04:43:14 pharynx sshd2[812]: connection from ""
Aug 12 04:43:20 pharynx sshd2[11628]: User gdm's local password accepted.
Aug 12 04:43:20 pharynx sshd2[11628]: Password authentication for user gdm
Aug 12 04:43:20 pharynx sshd2[11628]: User gdm, coming from
s161-184-79-143.ab.hsia.telus.net, authenticated.

Apparently this has been happening since around the 28th of July.

I also found a package called "autotelnet" installed in
/tmp/.../autotelnet, which is a hack designed to break into telnetd using
a buffer overflow (gives root shell of course).

Of course, my next actions will be to reformat and reinstall RH7.1, and,
once again, apply every RPM in existence.  The problem is that I am not
running telnetd, and in fact turned off all the services except sshd
(openssh). I
did a check on the telnet port and had the connection refused.  It seems
to me that the autotelnet was installed afterwards, to probe and attack
other machines.  I do not, however, have any idea of how they got in in
the first place.

Does gdm normally have a passwd?  there is a gdm listed in the user
accounts, but I thought that was just so gnome could do it's thing?
Should I password it next time?

In general, since RH7.1 does not install the xwindows linuxconf, what's
a quick way to find out what services are running on a machine?


Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list