|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical resolved Re: should i publish a list of cracked machines?
ok, having seen numerous comments (and numerous requests for the file), i
have decided to punt the list to cert.org and let them deal with it.
- as much as i'd like to, i don't have the time/energy to run through
the list and contact each netadmin. i've walked that trail before
while attempting to nip a few DoS attacks.
- i will not send the list to anyone other than cert, unless suggestions
can be made for other "authorative" groups who will maybe pick up
the task of contacting the netadmins in the list
my suspicions and some things to look for:
- boxes were comprimised using the buffer overflow in telnetd (speculation)
- my box had a bogus /usr/sbin/nscd (which is not a normal FreeBSD binary)
- nscd appears to be a hacked sshd, listening on a 14000 series port
- it had its own /etc/ssh_* config files (FreeBSD puts them in /etc/ssh/ssh_*)
- there was a file in /dev/ptaz which appeared to be DES crypto gunge
- there were a bunch of irc/eggdrop related files in a ".e" directory of
one of the user's $HOME
suggestions for looking about:
- do an ls -lta in bindirs, my systems generally have all /bin /usr/bin files
with the same timestamp
- do a "du /dev" and look for anomalies
- do a "cd /dev ; ls -l | grep -e-" and look for anomalies
- do a "ls -ltra /" (as well as /usr and /usr/local) and look for anomalies
--
[ Jim Mercer [email protected] +1 416 410-5633 ]
[ Now with more and longer words for your reading enjoyment. ]
|