[clug] Need opinions about actions of an intruder...
kim.holburn at nicta.com.au
Thu Aug 10 10:55:19 GMT 2006
On 2006 Aug 10, at 8:11 PM, Steve Walsh wrote:
> It looks like he's taking a very convoluted and round about way to
> get someone's email address, but I'd be more worried about someone
> who can remember how to compromise a RH9 box.
It's just a script. They identify the OS (not too hard these days
from IP response times and TCP serial characteristics) and choose a
script to 0wn it. It's a pain the way commercial distros stop being
patched after a certain amount of time (or when your sub runs out).
> Nedim Hadzimahmutovic wrote:
>> at work an old RH 9 box, which was 'maintained' by a coworker, was
>> hacked. While I was debugging asterisk on that box, I noticed a
>> strange process. Later I examined /var/log/messages and noticed
>> someone logged as user 'news' with uid 0. We did a backup of files,
>> and also a compete reinstall of the box (FC4). The strange process
>> this one:
>> root 7664 0.3 0.1 2024 884 ? S 13:35 0:00 sh -c
>> lynx -dump "http://cgi.ebay.com/ws/eBayISAPI.dll?
It's a knife. Whatever, it's something dodgy on eBay. Doing
something without showing his original IP. Did you get any logs of
the attacking IP? You could let eBay know or AUSCERT.
>> | grep @ >>
>> root 7665 1.6 0.2 4960 2280 ? S 13:35 0:00 lynx
>> -dump http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306
>> What do you think the intruder was doing?
> linux mailing list
> linux at lists.samba.org
Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121
mailto:kim.holburn at nicta.com.au aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the linux