"Damian O'Sullivan" said:
> It was. Someone hacked the postgresl account. rm'd /usr/bin/named for
> some reason. And copied loadsa scan/trojan stuff into the account. I have
> the IP of the person who connected. What should be the next step? I assume
> that IP was prolly hacked as well. The IP does not have a dns entry and
> strobes show it as a UNIX box. A nohup.out also shows a scanned network..
BTW everyone on ILUG running a Linux box with amd or named running should
ensure they have the latest updates from their vendors (or built from
source even). It's pretty easy to do, go to the vendor site, hit support,
hit "security updates" or similar, and download the packages.
Named at the mo' has a bug which is trivial to exploit remotely, and *is*
being exploited remotely on a huge scale. The securityfocus lists are
full of reports of this.
Sascha Lucky Luck wrote:
> If more Alphas and PPCs are used, then there will be more scripts for them.
> Security by obscurity doesn't work.
Yep, I agree. Having said that, making things difficult for the script
kiddies is always worthwhile by any means ;)
On that note, has anyone tried out some of non-executable-stack patches
for Linux? And *why* aren't they an option in the standard kernel?! I
know it still leaves the possibility of overflows in heap buffers, but
since most of the bugs are stack-based it would reduce the opportunities
greatly.
--j.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
