Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Thu, 14 Dec 2000 04:29:17 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Thu, 14 Dec 2000 04:29:07 -0500 Received: from ziggy.one-eyed-alien.net ([216.51.112.145]:7433 "EHLO ziggy.one-eyed-alien.net") by vger.kernel.org with ESMTP id ; Thu, 14 Dec 2000 04:28:58 -0500 Date: Thu, 14 Dec 2000 00:58:26 -0800 From: Matthew Dharm To: Brian Litzinger , linux-kernel@vger.kernel.org Subject: Re: Is this a compromise and how? Message-ID: <20001214005826.H12544@one-eyed-alien.net> Mail-Followup-To: Brian Litzinger , linux-kernel@vger.kernel.org In-Reply-To: <20001214005345.A3732@top.worldcontrol.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ewQ5hdP4CtoTt3oD" Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <20001214005345.A3732@top.worldcontrol.com>; from brian@worldcontrol.com on Thu, Dec 14, 2000 at 12:53:46AM -0800 Organization: One Eyed Alien Networks X-Copyright: (C) 2000 Matthew Dharm, all rights reserved. Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org --ewQ5hdP4CtoTt3oD Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Dec 14, 2000 at 12:53:46AM -0800, brian@worldcontrol.com wrote: > Sorry is this is too far off topic, but it seems to me the > kernel may be helping in this break in or maybe some magic > aspect of the filesystem. I doubt that.... from this description, you've been hacked. Even if your /etc/inetd.conf is in good shape, it looks like someone got in. I'm guessing that your ls was also hijacked. You're using RedHat, so try the rpm -V command to verify that the ls binary is the same as what should be in the package. While you're at it, verify the package is the right one (compare to a CD or distr ftp site). Out of curiosity, are you running portmap? Perhaps BIND? There are lots of potential culprits here -- but I suggest you verify all of your binaries and go back and upgrade everything on your system, as well as re-visit the issue of what daemons are started up at boot time. Matt Dharm --=20 Matthew Dharm Home: mdharm-usb@one-eyed-alien.= net=20 Maintainer, Linux USB Mass Storage Driver C: They kicked your ass, didn't they? S: They were cheating! -- The Chief and Stef User Friendly, 11/19/1997 --ewQ5hdP4CtoTt3oD Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE6OIuyz64nssGU+ykRAgKOAJ9CQIfz/aYVb5B6khFD4qJun8+QQQCg3gJ0 tcFKWQbBOGZXs5ij9jVLKeU= =99Ft -----END PGP SIGNATURE----- --ewQ5hdP4CtoTt3oD-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/