From: "Michael H. Warfield" <mhw@wittsend.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: "Jeff V. Merkey" <jmerkey@vger.timpanogas.org>,
linux-kernel@vger.kernel.org, jmerkey@timpanogas.org
Subject: Re: TRG vger.timpanogas.org hacked
Date: Tue, 5 Jun 2001 10:10:19 -0400 [thread overview]
Message-ID: <20010605101019.A19917@alcove.wittsend.com> (raw)
In-Reply-To: <20010604183642.A855@vger.timpanogas.org> <E157AuE-0006Wc-00@the-village.bc.nu>
In-Reply-To: <E157AuE-0006Wc-00@the-village.bc.nu>; from alan@lxorguk.ukuu.org.uk on Tue, Jun 05, 2001 at 08:05:34AM +0100
On Tue, Jun 05, 2001 at 08:05:34AM +0100, Alan Cox wrote:
> > is curious as to how these folks did this. They exploited BIND 8.2.3
> > to get in and logs indicated that someone was using a "back door" in
> Bind runs as root.
It doesn't have to. In fact, I just set up a RedHat 6.2 Honeypot
a couple of weeks ago researching Bind based worms that are becoming
a problem. Much to my surprise, that OOB RedHat 6.2 system ran bind
as "named -u named" and was running Bind under a common user id. RedHat
6.0 runs it as root and I haven't checked 6.1 yet. Don't know about the
other distros, yet.
> > We are unable to determine just how they got in exactly, but they
> > kept trying and created an oops in the affected code which allowed
> > the attack to proceed.
> Are you sure they didnt in fact simply screw up live patching the kernel to
> cover their traces
That would be a hint that they MIGHT have been trying to get a
Linux kernel stealth module going. Several of the worms I'm looking at
include the Adore LKM to hide processes, files, and sockets. That worm
(as several others like it) also upgrade the version of Bind they broke
in through to prevent further compromise. There will be a security
advisory out on these worms, probably later this week.
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
next prev parent reply other threads:[~2001-06-05 14:11 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2001-06-05 1:36 TRG vger.timpanogas.org hacked Jeff V. Merkey
2001-06-05 7:05 ` Alan Cox
2001-06-05 10:14 ` Daniel Roesen
2001-06-05 14:10 ` Michael H. Warfield [this message]
2001-06-05 18:30 ` Jeff V. Merkey
2001-06-05 18:42 ` Michael H. Warfield
2001-06-05 13:07 ` Henning P. Schmiedehausen
2001-06-05 13:41 ` Daniel Roesen
-- strict thread matches above, loose matches on Subject: below --
2001-06-05 10:33 Randal, Phil
2001-06-05 11:07 ` Matti Aarnio
2001-06-05 17:19 ` Brian Wellington
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20010605101019.A19917@alcove.wittsend.com \
--to=mhw@wittsend.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jmerkey@timpanogas.org \
--cc=jmerkey@vger.timpanogas.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox