[oclug] 1i0n crack
Tom Goulet
tomg at nova.yi.org
Tue Apr 24 13:25:26 EDT 2001
>My system was cracked (again).
>I think it was a named exploit but I'm not sure.
Don't run _any_ internet listening daemons that are not explicitly
required. For desktops especially, this can amount to none at all.
>How do I find out how he got in?
Well, you probably don't. You can look for weird log entries in
/var/log/* (standard script kiddie procedure is to run a script that may
or may not succeed in removing suspicious log entries). You can back
track through your mind and remember if any of the daemons running were
vulnerable and guess it was one of those.
>What is asp62 which he installed on my system?
Well, it probably provides a root shell without a password, or it is a
simple proxy program (a "bounce") for more cracking or harassing on IRC.
>I'm going to reinstall even though it looks like he didn't finish.
That's what I would recommend. Before you plug the network cable back
in, disable (and delete) all the daemons that are running after the
install.
Boy, that script you showed sure shows how script kiddies got their
name. They don't even know how a simple shellscript works.
TomG
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20010424/29e69335/attachment.bin
More information about the OCLUG
mailing list