[Unix-l] Redhat box compromised
Eric Myers
myers at noether.vassar.edu
Mon Mar 8 18:51:23 EST 2004
David,
Thanks both for the heads-up and for the pointers to the root-kit.
Do you know what actual vulerability was used to get into the machine?
I have a script called Ivan which checks for all sorts of evidence
of compromises and I will add /usr/include/.linux to the list of
things to check for. If you want to try it to check for anything else
that might have been left on the machine the script is at
ftp://noether.vassar.edu/pub/myers/src/adm/Ivan
Although Red Hat has declared the "end of life" for 7.2, 7.3 and 8.0
they are still in wide use, and I have not heard of any vulerabilities
in general that would affect these distributions. So I really would
like to know how this box was hacked.
There was a kernel vulnerability announced just this weekend
[http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt] which
affects every kernel up to 2.4.24 and 2.6.2, but I believe it requires
local access to exploit it, so this was likely not the problem.
I'm running 7.2 or 7.3 on several machines in physics, and I've been
concerned that there won't be further security updates from RH and so
I've been considered updating either to 9.x or to Fedora Core.
>
> We also noticed that 35GB of data files were deleted.
Ouch. Another good reason to have backups...
-Eric Myers
More information about the Unix-l
mailing list