Re: Got hacked by Ramen-style attack

To: Giacomo Mulas <gmulas@ca.astro.it>
Cc: debian-security@lists.debian.org
Subject: Re: Got hacked by Ramen-style attack
From: Alvin Oga <aoga@Maggie.Linux-Consulting.com>
Date: Thu, 22 Nov 2001 06:54:48 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1011122064904.9130A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] Pine.LNX.4.40.0111221521020.7472-100000@capitanata.ca.astro.it>

hi ya giacomo..

On Thu, 22 Nov 2001, Giacomo Mulas wrote:
> On Thu, 22 Nov 2001, Alvin Oga wrote:
> 
> > they tried.... doesn't mean they got in
> 
> you are correct so far, but if you read later on, the original poster
> adds:
> 
> > I had a number of rejected packets to port 137 immediately before, nmbd
> > crashed and the lprng exploit started.
> 
> If at least one daemon was crashed, the attack may have been successful,
> so he has every reason to be cautious.

yup .... but, i'd move the samba server to be internal.. and not
externally visible....
	- no reason for samba servers to be externally visible

samba ( nmbd/smbd could die for many different reasons )

without knowing the state of the fs before the attack... its a little
harder to find what's different...
	- ie.. run tripwire, checksums, aide, etc

- when checking a possibly infected host, am assuming one uses the binary
  off of a cdrom instead of the (trojaned) machine itself to check its
  binary... which usually returns all okay..even if its not


fun stuff... to go checking ...
not fun to have to rebuild a new box and very carefully restore data

have fun linux
alvin

Reply to:

References:
- Re: Got hacked by Ramen-style attack
  - From: Giacomo Mulas <gmulas@ca.astro.it>

Prev by Date: Re: some interesting attacks
Next by Date: Re: some interesting attacks
Previous by thread: Re: Got hacked by Ramen-style attack
Next by thread: some interesting attacks
Index(es):
- Date
- Thread