I think first you should display us what services you server are now runing,
Perhaps exploit of snmpdx or bind?
Give us you system configuration detailed.

>Greetings,
> we had a root compromise on a Solaris server recently: On Apr 30
>23:30 US Eastern time, a regular user account 'game' and a root
>account 'nois' were added to /etc/passwd ... then the intruder
>logged in and su'd to root
>
>from the lastlog:
>
>--snip------------------------------------------------------------
>game pts/0 200.190.14.66 Mon Apr 30 23:30 - 23:32 (00:01)
>--snap------------------------------------------------------------
>
>from the syslog:
>
>--snip------------------------------------------------------------
>Apr 30 23:30:23 tarsus.cisto.org su: 'su nois' succeeded for game on /dev/pts/0
>--snap------------------------------------------------------------
>
>So far we have not been able to find any trojan/root-kit etc.
>The obvious logfile entries suggest that it may have been a
>"script kiddie" rather than a knowledgeable hacker.
>
>Is anyone aware of an intrusion tool that creates 'game'/'nois'
>accounts? I'd really like to know how the hacker got in... :-)
>
>Greetings, Norbert.
>
>--
>Norbert Bollow, Weidlistr.18, CH-8624 Gruet (near Zurich, Switzerland)
>Tel +41 1 972 20 59 Fax +41 1 972 20 69 nbthinkcoach.com
>> Currently recruiting: Perl programmers and JSP (JavaServer Pages)
>> programmers for the "Traffic Building Bulletin Board System" project
>> at FreeDevelopers.Net ------------------> See http://tbbbs.org

            Yiming Gong
            yimingsecurity.zz.ha.cn

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]