From: Peter Kosinar (gooberksp.sk)
Date: Wed Aug 31 2005 - 19:24:27 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This mail has been originally sent to the original poster's address but
(what a surprise :-) ) it bounced because of the phony address he used.
Therefore, I'm sending it here...

Hello Steve!

> According to john, a couple of users had weak passwords, but root seemed
> well protected. From looking in all the bash_history, it appears the
> hacker came in from the website account, and did an su from there.

Hmm... did you perform some kind of post-mortem analysis of the system?
For example, did you find the john.pot file, where JTR stores the cracked
passwords? Did the /lib/java directory contain any interesting data? Did
you find the way the attacker used to obtain root (assuming that the
password wasn't cracked)?

> I found this about a month later when I logged into the box, did an ls,
> only to be met by a seg fault. A ps x showed mech.tgz trying to be

'ls' causing segfault is a common symptom of installed rootkit. Did you
look for some other misbehaving programs? In fact, as you are running a
2.4 series kernel, it might be a kernel-level rootkit called SucKit, which
is, according to my experience, quite popular among .ro badguys.

Peter Kosinar

--
[Name] Peter Kosinar [Quote] 2B | ~2B = exp(i*PI) [ICQ] 134813278

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]