hack lesson?

Sat Jan 12 02:39:36 PST 2002

Thanks for the tips.  None of my service files in /etc/xinetd.d look 
corrupt.  Everything is off that I want off and on that I want on.  No 
mysterious new services (assuming ls is not compromised.) :) 
/etc/xinetd.conf looks fine.  I have found hacked directories before in 
/dev.  I won't spend much time looking around.  I have another drive and 
will be sending this to a well convicted hacking friend to  dig 
through.   If there is something to use, I'll let him find it.

scott

On Friday, January 11, 2002, at 11:51  PM, epsas at inflicted.net wrote:

> I would check out your /etc/xinetd.conf or /etc/inetd.conf file for any 
> strange entries.  That is usually one of the first places that a 
> cracker modifies.  Also, I seriously suggest purchasing a new HD for 
> your reinstall and keeping the cracked HD around for foresnics.
>
> Good luck,
> charles
>
>
>> It appears that a corrupt perl directory has been installed.  How did
>> they get in?  Some buffer overflow of perl that gave them root access 
>> to
>> install the rootkit?  Beats me, but I am checking with those who may
>> know.  It's very possible that I made a mistake some time last year 
>> that
>> someone is just now spanking me for.
>>
>> A friend suggested that I look at my rc.local file where I found "touch
>> /var/lock/subsys/local."  Having no virgin rc.local to look at, I don't
>> know if it's legit.
>>
>> It is dangerous to suggest that someone in a mailing list is 
>> responsible
>> for a hack.  Talk about introducing FUD.  I recognize this and would
>> hesitate to think that the active participants would stoop to such an
>> act.  The coincidence is unbearable, though.  I was clearly flaunting 
>> my
>> confidence in webmin, and what better way to given someone a lesson in
>> humility than to exploit their confidence.  It would not surprise me if
>> someone took this upon his/her self to do so.  No harm was done, no
>> defacing or data corruption occurred.  I'll be back up and I'll be
>> running webmin.  Keep a look out for me.  Come and get it.
>
> ---
> You are currently subscribed to luau as: sctinc at mac.com
> To unsubscribe send a blank email to $subst('Email.Unsub')