| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: frank at knobbe.us (Frank Knobbe) Subject: Automated ssh scanning On Wed, 2004-08-25 at 17:32, Richard Verwayen wrote: > The attackers installed some software and irc-bots and tried to use this > host for testing other computers, thats not the point. I would like to > know where's the weak point in the system? As the system was updates on > a daily base! The only known weakness were these two accounts! How do you know what they brought in? Do you have shell history files available? Care to share them with us? Shell history should (if left over) should give a clue to not just what they brought in, but also how they used it. That will answer your question as to what local root exploit they used. If you don't have shell history files left over, try repeating the experiment with .history hard-linked to something like .opera/adprefs.ini (create other .opera/ files as cover). Once they clean up and delete the .history file, you should be left with a copy in .opera/adprefs.ini. (Depending on the clue level of the script kiddie he may not find the linked copy). If you do have .history content, or other log info, pleas share it here with us. Regards, Frank -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: This is a digitally signed message part Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040826/511a5141/attachment.bin
Powered by blists - more mailing lists