system seems hacked...
Bill Campbell
linux-sxs at celestial.com
Mon Mar 3 08:48:52 PST 2008
On Mon, Mar 03, 2008, Roger Oberholtzer wrote:
>On Mon, 2008-02-25 at 15:33 -0800, Bill Campbell wrote:
>> On Thu, Feb 21, 2008, Roger Oberholtzer wrote:
>> >On Fri, 2008-02-22 at 07:37 +1100, James McDonald wrote:
>> >
>> >> > Anyone seen/heard of this specific exploit?
>> >> >
>> >> >
>> >> No I haven't. Have you tried chkrootkit and rkhunter to see if they can
>> >> identify it?
>> >>
>> >> Also probably not going to work if it's hiding itself but try pstree
>> >> which may show you the parent process.
>> >
>> >I cross posted to the openSUSE list (as that is where this was running).
>> >All is sorted. Seems it was:
>> >
>> > http://www.energymech.net/
>> >
>> >which is a non-root IRC bot. One thing it does is hide the real process
>> >name. It was not /usr/bin/sshd. It was the IRC bot running from a user
>> >folder with only that user's rights. Still, I am not happy. There will
>> >be a password shakeup with the users!
>>
>> This type of attack often is made via webmin or usermin exploiting bad user
>> passwords.
>
>I think we have narrowed it down to two users from the same location,
>who's accounts were used to run the offending software. After our
>password shake up, the problem is gone. So we will keep our password
>requirements more aggressive.
>
>Anyone know of a windows program that lets one set their Linux password?
>I know that sounds like a crazy thing, but this was part of the problem.
>I never did get the Linux system to authenticate some users via a
>Windows server, which would make this a bit easier for me. Newer
>releases of openSUSE allow you to set this up automatically. But the
>release on the two servers involved in this cannot easily be updated in
>the time I have available for this work. It will happen. But not today.
>The use (or, rather, not using) of Windows passwords on the Linux server
>is the biggest problem in my Linux/Windows integration.
I have built a system for one of our ISP customers where they
maintain their customer information on a Windows system, and it
makes network calls to their primary Linux server to add, modify,
and delete user accounts. The Linux side of this provided by the
vendor used rather primitive perl code that manipulated the
passwd and shadow files directly, often not doing it properly. I
removed about 90% of their code, substituting calls to an xmlrpc
server I wrote that handles the user updates, and updates several
other things such as jive_messenger, samba passwords, and
multiple openldap servers.
Bill
--
INTERNET: bill at celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676
Government is the great fiction, through which everbody endeavors to
live at the expense of everybody else. -- Frederic Bastiat
More information about the Linux-users
mailing list