 |
 |
|
 |
|
| Author |
|
|||||||
|
trog
AGN Admin
Posts: 21378
Location: Brisbane, Queensland
|
Someone's done an interesting analysis of a Linux box that got compromised and used as a zombie box. If you're into Linux it's worth a read to see how a box can get owned and what to look out for. |
|||||||
| #0 08:59pm 17/08/07 |
|
|||||||
|
system
|
--
|
|||||||
| #0 |
|
|||||||
|
Freewheelin
Posts: 1076
Location: Brisbane, Queensland
|
i didnt really understand all of the commands used etc, but he explains very clearly what was going on. that was a really good read
Woha! The box had been cracked alright! I found this quite exciting, but obviously, my friend did not. heh |
|||||||
| #1 01:28pm 17/08/07 |
|
|||||||
|
Spook
Posts: 19347
Location: Brisbane, Queensland
|
that was interesting
|
|||||||
| #2 02:01pm 17/08/07 |
|
|||||||
|
TicMan
Posts: 2483
Location: Brisbane, Queensland
|
Interesting but just seems what every other trojan/backdoor problem regardless of OS would do. Install itself, add hacked system files, etc. I'm wondering how it got comprimised in the first place though, that'd be the most interesting information.
Was it a simple root password, stupid sysadmin giving out free shell accounts or so on.. |
|||||||
| #3 02:08pm 17/08/07 |
|
|||||||
|
gimpy
Posts: 1666
Location: Brisbane, Queensland
|
Sendmail (prior to Sendmail 8.6.10) was no doubt the cause of this hack.
|
|||||||
| #4 02:27pm 17/08/07 |
|
|||||||
|
ara
Posts: 1246
Location: Sydney, New South Wales
|
i use to keep a little tar ball of ls, ps, top, netstat and ifconfig to investigate this kind of thing. a md5 on those binaries would show up inconsistancies since most root kits replace them instead of modifying the kernel as it is a quicker and easier path. my money is it was from php-nuke or some such dodgey CMS. |
|||||||
| #5 02:39pm 17/08/07 |
|
|||||||
|
TicMan
Posts: 2484
Location: Brisbane, Queensland
|
gimpy's probably right, only newbs run Sendmail.
|
|||||||
| #6 02:41pm 17/08/07 |
|
|||||||
|
gimpy
Posts: 1667
Location: Brisbane, Queensland
|
that's what ya mum said, right after i made love to her
our faces were like this :O :O |
|||||||
| #7 02:45pm 17/08/07 |
|
|||||||
|
Opec
Posts: 4677
Location: Brisbane, Queensland
|
Interesting read
|
|||||||
| #8 02:49pm 17/08/07 |
|
|||||||
|
Obes
Posts: 5385
Location: Brisbane, Queensland
|
I have experienced a top leveling hacking group at work from the wrong side. Starting around 7pm on a Friday, all finished by Monday. They got in via a new BIND vulnerability, using a hacked webserver at the Argentinian version of Telstra. Then procedign to go after security and military server in Canada and the US.
First I knew of it was a phone call from the AFP on the Thursday after it, in conference with the DNDCF (or some acronym like that ie. Canadian Military), Pentagon and FBI. Long story hours on the phone. Then a day latter some guys from Cert AU rang and helped me to clean it up and they got the info they needed to work out how they cracked BIND. *shrug* |
|||||||
| #9 03:53pm 17/08/07 |
|
|||||||
|
Scorp
Posts: 26
Location: Brisbane, Queensland
|
Christ, this is probably one of the best non-gaming related news ports on QGL. Thanks for posting this! VERY INTERESTING!
|
|||||||
| #10 06:39pm 17/08/07 |
|
|||||||
|
Raven
Posts: 2072
Location: Melbourne, Victoria
|
Interesting read Interesting skim. Not really what I would call interesting as a read :) |
|||||||
| #11 07:24pm 19/08/07 |
|
|||||||
|
Jim
Posts: 6356
Location: Brisbane, Queensland
|
tah, I was wondering whether or not raven would call it an interesting read
|
|||||||
| #12 07:39pm 19/08/07 |
|
|||||||
|
system
|
--
|
|||||||
| #12 |
|
|||||||
|
| ||||||||
