Re: Hacked: .bash_history linked somewhere
Quoting "J. Bruce Fields" <bfields@fieldses.org>:
> On Fri, Nov 07, 2003 at 10:45:32AM -0800, Mike Egglestone wrote:
> > Hi,
> > My server was trojaned recently, not sure how.
> > It looks like /bin/ps was modified or replaced with
> > a trojan.
>
> Out of curiosity--how can you tell?
I could tell because the ps file in /bin was only 8.5K.
Also, if I ran
#less /bin/ps
(warn me about being binary, view anyway)
There was some english text saying "Problem occured, trojan dumped".
> > How does this happen in the first place? Does someone need to steal the
> root
> > password and login and plant the trojan, or could this be remotely
> exploited
> > through a security hole in one of my installed packages?
>
> Could be.
>
> > I don't understand how files can get overwritten with out manually doing
> it.
>
What lead you to believe there was a compromise in the first place?
/etc/samba/ was completely empty. Workstations this morning were
not logging into the samba server.
>
> Once you decide it was compromised, there's nothing you can do but start
> over (very carefuly!) from scratch. It's hard to know for sure that
> you've found all the backdoors.--b.
I must run my updates more often I suppose.
Thanks for your input.
Luckily, I had my system on a seperate drive and so the re-install should
go smoothly. I think I'll apt-get install snort too!
Mike
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
Reply to: