[oclug] knark attack
MLAFLEUR at cegep-heritage.qc.ca
Fri Jan 12 10:04:37 EST 2001
Back to work for a few days only to find that our newly upgraded (to 6.2)
system has been cracked by something called knark.
It all began (I think) with a connection on an illegal port. This was
reported by rshd and rlogind in the log file.
The next day, the /var/log directory was gone.
Then I could not use by tape backup anymore.
In desperation I rebuilt the system yesterday evening. I walk to console
this morning to find a message saying:
caine: setting eth0 to promescuious mode
I examined the logs and there was some weird messages ine the messsages
Then I found a file called rk24.tar.gz dumped ate the root of the
filesystem. Creation date was more or less the same as the caine program,
and the weird log entry.
I immediatly brought the system to a non-networked stated and now I am
asking you guys: How to I secure my system???
More information about the OCLUG