[oclug] 1i0n crack
Adrian Chung
adrian at enfusion-group.com
Tue Apr 24 15:43:20 EDT 2001
On Tue, Apr 24, 2001 at 01:03:52PM -0400, Bob Lockie wrote:
> My system was cracked (again).
> I think it was a named exploit but I'm not sure.
> The *asshole left a tar file in my /tmp directory.
> How do I find out how he got in?
If you trace through all of the scripts and files in the tarball in
/tmp, you'll find that they probably match the 1i0n worm, as your
subject line already says.
It's exploits a hole in BIND which allows root access. The root
access is used to put the tarball on your system, and amongst other
things, prepare your machine to continue spreading the worm.
> What is asp62 which he installed on my system?
asp62 is a simple webserver that servs up the tarball that's in your
/tmp directory.
It only really works should you have or use inetd.
--
Adrian Chung
adrian at enfusion-group dot com
More information about the OCLUG
mailing list