| 1 |
On Monday 10 August 2009 05:36:00 Grant Edwards wrote: |
| 2 |
> On 2009-08-08, pk <peterk2@××××××××.se> wrote: |
| 3 |
> > Grant Edwards wrote: |
| 4 |
> >> That's what I thought back when I was using dialup on a Linux |
| 5 |
> >> box that didn't have any servers running. Then one day I got |
| 6 |
> >> root-kitted. |
| 7 |
> > |
| 8 |
> > This may be off-topic but I'm curious about the details. Can you please |
| 9 |
> > elaborate? |
| 10 |
> |
| 11 |
> Well, it was probably about 9 years ago, but here's the way I |
| 12 |
> remember it: |
| 13 |
> |
| 14 |
> It started when I noticed the modem's RX/TX lights were |
| 15 |
> flashing when there was no reason for them to be doing so (I |
| 16 |
> was in the habit of keeping an eye on them to make sure the |
| 17 |
> connection was working OK). When I did a netstat, it showed |
| 18 |
> active network connections that shouldn't have been there, but |
| 19 |
> ps didn't show the processes that netstat said had connections |
| 20 |
> open. The "ps" binary had been replaced with a hacked version. |
| 21 |
> IIRC, so had the "lsof" binary because it didn't show the |
| 22 |
> processes that had the connections open either. |
| 23 |
> |
| 24 |
> I was running an RPM-based installation at the time (RH 6 or 7 |
| 25 |
> I believe), and and an rpm "verify" command failed for a |
| 26 |
> handful of system related binaries (among them ps and lsof): |
| 27 |
> they weren't the same files that rpm had installed. |
| 28 |
|
| 29 |
There was a Red Hat *.0 release of that era that shipped with every possible |
| 30 |
service installed and running, accepting connections from anywhere. IIRC, |
| 31 |
average time to be rooted was measured in minutes... |
| 32 |
|
| 33 |
Red Hat were quite clear at the time that the release was not actually for |
| 34 |
real use, more for testing. I think the switch to glibc-2 was the underlying |
| 35 |
reason. Anyway, lots of folks got bitten because they installed and used it |
| 36 |
anyway. |
| 37 |
|
| 38 |
Perhaps you got caught up in that? |
| 39 |
|
| 40 |
-- |
| 41 |
alan dot mckinnon at gmail dot com |
Archives