RE: Was my system cracked? (retry 2)

To: "'Ron Hale-Evans'" <rwhe@ludism.org>, "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: RE: Was my system cracked? (retry 2)
From: "Jeremy L. Gaddis" <jlgaddis@blueriver.net>
Date: Sun, 1 Oct 2000 15:01:46 -0500
Message-id: <01C02BB8.85508F40@win98-1.home.lan>

At first glance, this appears to be an attempt to exploit rpc.statd.

If they *DID* get in, you have no way of knowing what may or may
not have been modified.  I just dealt with a machine about two weeks
ago that had a very extensive rootkit installed.  The only way it was
noticed that the machine had been compromised was that the admin
noticed many processes named "tfn-daemon" installed, which, for the
uninitiated, is the Tribal Flood Network DDoS tools.

Reinstall your system.  It sucks, but it's a learning experience.

-jg

--
Jeremy L. Gaddis     <jlgaddis@blueriver.net>

-----Original Message-----
From:	Ron Hale-Evans [SMTP:rwhe@ludism.org]
Sent:	Sunday, October 01, 2000 1:53 PM
To:	debian-user@lists.debian.org
Subject:	Was my system cracked? (retry 2)

[snip] 

Sep 30 19:10:53 ludism syslogd: Cannot glue message parts together 
Sep 30 19:10:53 ludism 173
Sep 30 19:10:53 /sbin/rpc.statd[205]: gethostbyname
error for
^X-?ø^X-?ø^Y-?ø^Y-?ø^Z-?ø^Z-?ø^[-?ø^[-?ø%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêê1¿Î|YâA^PâA^H?¿âA^Dâ^?¿â^A?fÕÄ?^BâY^L?A^Nô?A^H^PâI^DÄA^D^Là^A?fÕÄ?^D?fÕÄ?^E0¿àA^D?fÕ
Sep 30 19:10:53 ludism «^F/bin«F^D/shA0¿àF^Gâv^LçV^PçN^LâÛ?^KÕÄ?^AÕÄË???
Sep 30 19:14:01 ludism /USR/SBIN/CRON[32067]: (news) CMD (rnews -U) Sep 30
19:14:01 ludism innd: ME time 300548 idle 300544(2) artwrite 0(0) artlink
0(0) hiswrite 0(0) hissync 0(3)

So, do you think my machine has been cracked? It looks as though they've
been trying to cover their tracks, but not doing it very well. If it is a
crack, what can I do about it apart from wiping the machine and rebuilding
from the ground up?

Thanks...

Ron Hale-Evans

-- 
   Ron's Info Closet: Center for Ludic Synergy, Kennexions Glass Bead Game,
    Positive Revolution FAQ, Hexagram-8 I Ching Mailing List, and links...
   Ron Hale-Evans ... rwhe@ludism.org ... <http://www.apocalypse.org/~rwhe/>
                    Further up and further in! fnord


-- 
Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null

Reply to:

Follow-Ups:
- RE: Was my system cracked? (retry 2)
  - From: Alvin Oga <aoga@Mail.Linux-Consulting.com>

Prev by Date: RE: Masquerading
Next by Date: Re: more sound difficulties
Previous by thread: Re: Was my system cracked? (retry 2)
Next by thread: RE: Was my system cracked? (retry 2)
Index(es):
- Date
- Thread