hack lesson?
R Scott Belford
sctinc at mac.com
Sat Jan 12 02:39:36 PST 2002
Thanks for the tips. None of my service files in /etc/xinetd.d look
corrupt. Everything is off that I want off and on that I want on. No
mysterious new services (assuming ls is not compromised.) :)
/etc/xinetd.conf looks fine. I have found hacked directories before in
/dev. I won't spend much time looking around. I have another drive and
will be sending this to a well convicted hacking friend to dig
through. If there is something to use, I'll let him find it.
scott
On Friday, January 11, 2002, at 11:51 PM, epsas at inflicted.net wrote:
> I would check out your /etc/xinetd.conf or /etc/inetd.conf file for any
> strange entries. That is usually one of the first places that a
> cracker modifies. Also, I seriously suggest purchasing a new HD for
> your reinstall and keeping the cracked HD around for foresnics.
>
> Good luck,
> charles
>
>
>> It appears that a corrupt perl directory has been installed. How did
>> they get in? Some buffer overflow of perl that gave them root access
>> to
>> install the rootkit? Beats me, but I am checking with those who may
>> know. It's very possible that I made a mistake some time last year
>> that
>> someone is just now spanking me for.
>>
>> A friend suggested that I look at my rc.local file where I found "touch
>> /var/lock/subsys/local." Having no virgin rc.local to look at, I don't
>> know if it's legit.
>>
>> It is dangerous to suggest that someone in a mailing list is
>> responsible
>> for a hack. Talk about introducing FUD. I recognize this and would
>> hesitate to think that the active participants would stoop to such an
>> act. The coincidence is unbearable, though. I was clearly flaunting
>> my
>> confidence in webmin, and what better way to given someone a lesson in
>> humility than to exploit their confidence. It would not surprise me if
>> someone took this upon his/her self to do so. No harm was done, no
>> defacing or data corruption occurred. I'll be back up and I'll be
>> running webmin. Keep a look out for me. Come and get it.
>
> ---
> You are currently subscribed to luau as: sctinc at mac.com
> To unsubscribe send a blank email to $subst('Email.Unsub')
More information about the LUAU
mailing list