LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Possible hack?

[ILUG] Possible hack?

Anders Holm anders.holm at elivefree.net
Tue May 28 14:52:15 IST 2002 

Hi Barry.

Ok, so it definitely looks like someone then hacked the box.

It's very common practice to replace/add binaries when hacking a box. Same
goes for removing entries in the log files.

Yes, similar hacks has been seen. Check securityfocus.com et. al.

To solve the log part use a loghost or similar. In that way they can change
as many logfiles they like, it'll still be logged somewhere else before they
can even change it.

Sorry I can't be of more help than this. The rest is all up to setup and so
forth. Enjoy!

Best Regards
Anders Holm


-----Original Message-----
From: ilug-admin at linux.ie [mailto:ilug-admin at linux.ie]On Behalf Of Barry
O'Donovan
Sent: 28 May 2002 13:52
To: Anders Holm; ilug at linux.ie
Subject: Re: [ILUG] Possible hack?


Ar an Tuesday 28 May 2002 12:10, scriobh tu:

> Hi Barry,
>
> there's only really 2 options here:
>
> 1/ Someone with appropriate access put the "crond " file there,
> because they don't understand/cannot use the installed version of
> cron.
That's a definite no - firstly the new file has a space as the last
character in the name - presumably to make it appear perfectly natual
when doing an ls, but so that the real crond will be called when
entered via the command line. Good idea actually! (if not a bit
unfortunate for me)

> 2/ Your worst nightmare has come true, and you've been
> hacked.
I think that's a definite.

What I really want to know is has anyone else seen a similar hack
before?

> The mail doesn't show the ownership of the file itself. I'd take it
> to be root??
Yeah root

>
> Check what else may have happened on that system at that point in
> time. Check for other files that may have changed around that time
> as well... Has anyone _seemingly_ tampered with /var/log/* files
> (to cover tracks)?
I've checked all the log files - it actually looks like there's a gap
in and around the time of the hack on some of them - such as
messages, etc.



--
Regards,
Barry O'Donovan	barry.odonovan at ucd.ie

Mobile: +353 (0)86 2891589, Office: +353 (0)1 716 2454

Roinn na Riomheolaiochta, An Colaiste Ollscoile, Baile Atha Cliath.
Department of Computer Science, University College Dublin.

--
Irish Linux Users' Group: ilug at linux.ie
http://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
List maintainer: listmaster at linux.ie

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell