Re: Hacked: .bash_history linked somewhere

[Mike Egglestone <mike@heri.sd57.bc.ca>]

Quoting "J. Bruce Fields" <bfields@fieldses.org>:

> On Fri, Nov 07, 2003 at 10:45:32AM -0800, Mike Egglestone wrote:
> > Hi,
> > My server was trojaned recently, not sure how.
> > It looks like /bin/ps was modified or replaced with
> > a trojan. 
> 
> Out of curiosity--how can you tell?
I could tell because the ps file in /bin was only 8.5K.
Also, if I ran
#less /bin/ps
(warn me about being binary, view anyway)
There was some english text saying "Problem occured, trojan dumped".


> > How does this happen in the first place? Does someone need to steal the
> root 
> > password and login and plant the trojan, or could this be remotely
> exploited 
> > through a security hole in one of my installed packages?
> 
> Could be.
> 
> > I don't understand how files can get overwritten with out manually doing
> it.
> 
What lead you to believe there was a compromise in the first place?

/etc/samba/ was completely empty. Workstations this morning were
not logging into the samba server. 

> 
> Once you decide it was compromised, there's nothing you can do but start
> over (very carefuly!) from scratch.  It's hard to know for sure that
> you've found all the backdoors.--b.

I must run my updates more often I suppose.
Thanks for your input.
Luckily, I had my system on a seperate drive and so the re-install should
go smoothly. I think I'll apt-get install snort too!

Mike




-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/