1 |
On Monday 10 August 2009 05:36:00 Grant Edwards wrote: |
2 |
> On 2009-08-08, pk <peterk2@××××××××.se> wrote: |
3 |
> > Grant Edwards wrote: |
4 |
> >> That's what I thought back when I was using dialup on a Linux |
5 |
> >> box that didn't have any servers running. Then one day I got |
6 |
> >> root-kitted. |
7 |
> > |
8 |
> > This may be off-topic but I'm curious about the details. Can you please |
9 |
> > elaborate? |
10 |
> |
11 |
> Well, it was probably about 9 years ago, but here's the way I |
12 |
> remember it: |
13 |
> |
14 |
> It started when I noticed the modem's RX/TX lights were |
15 |
> flashing when there was no reason for them to be doing so (I |
16 |
> was in the habit of keeping an eye on them to make sure the |
17 |
> connection was working OK). When I did a netstat, it showed |
18 |
> active network connections that shouldn't have been there, but |
19 |
> ps didn't show the processes that netstat said had connections |
20 |
> open. The "ps" binary had been replaced with a hacked version. |
21 |
> IIRC, so had the "lsof" binary because it didn't show the |
22 |
> processes that had the connections open either. |
23 |
> |
24 |
> I was running an RPM-based installation at the time (RH 6 or 7 |
25 |
> I believe), and and an rpm "verify" command failed for a |
26 |
> handful of system related binaries (among them ps and lsof): |
27 |
> they weren't the same files that rpm had installed. |
28 |
|
29 |
There was a Red Hat *.0 release of that era that shipped with every possible |
30 |
service installed and running, accepting connections from anywhere. IIRC, |
31 |
average time to be rooted was measured in minutes... |
32 |
|
33 |
Red Hat were quite clear at the time that the release was not actually for |
34 |
real use, more for testing. I think the switch to glibc-2 was the underlying |
35 |
reason. Anyway, lots of folks got bitten because they installed and used it |
36 |
anyway. |
37 |
|
38 |
Perhaps you got caught up in that? |
39 |
|
40 |
-- |
41 |
alan dot mckinnon at gmail dot com |