Mailinglist Archive: opensuse (3666 mails)

< Previous Next >
Re: [SLE] My server got hacked? Anyoen seem this?
  • From: Allen <gorebofh@xxxxxxxxxxx>
  • Date: Mon, 14 Mar 2005 00:11:54 -0500
  • Message-id: <20050314051154.GA10651@xxxxxxxxxxxxxxxxxxxxxx>
On Sun, Mar 13, 2005 at 09:06:26PM -0600, Henry Tang wrote:
>
> >Only if you don't boot the machine again.
> >
> >If rm -rf has been put into the init sequence (perhaps /etc/boot)
> >then by starting the machine again the rogue code will be started and do
> >it's damage.
> >
> >You can boot with knoppix and then mount your partitions and examine them
> >for damage.
> >
> >Did you install tripwire?
> >
> >
> >
> >
> Tripwire looks like a pretty good software! So i still that after
> booting with knoppix?
>
> I looked into my system and this is what I found and wonder.
>
> Does this show that the email was sent by root?
>
> H??Received: (from root@localhost)
> by main.yucreation.com (8.11.6/8.11.6/SuSE Linux 0.5) id
> j2A9fEW12735
> for Blondu@xxxxxxxx; Thu, 10 Mar 2005 03:41:14 -0600
> H?D?Date: Thu, 10 Mar 2005 03:41:14 -0600
> H?F?From: root <root>
>
> I think the hack that sends out the email with shadow and passwd listing
> either has root access or shadow group access. Becuase according to
> this below it shows that only user of shadow or root can read the file.
> If the hacker has root, what is the purpose of getting the system config
> or shadow file via email.. I don't see a reason going through all that
> trouble. So must be user gdm.

GDM is an application like KDM which shows a GUI log in...


> shadow:x:15:root,gdm
>
> -rw-r--r-- 1 root root 3102 Mar 11 03:49 passwd
> -rw-r--r-- 1 root root 3102 Jan 5 23:26 passwd-
> -rw-r--r-- 1 root root 2761 Oct 8 2003 passwd.bak
> -rw-r--r-- 1 root root 2942 Nov 23 2003 passwd.old
> main:/etc # ls -la | grep shadow
> -rw-r--r-- 1 root shadow 772 Feb 9 15:35 group
> -rw-r--r-- 1 root shadow 744 Oct 7 2003 group.bak
> -rw-r----- 1 root shadow 765 Nov 7 2003 gshadow
> -rw------- 1 root root 755 Nov 7 2003 gshadow-
> -rw-r----- 1 root shadow 1859 Mar 11 04:26 shadow
> -rw-r----- 1 root shadow 1819 Jan 12 12:07 shadow-
> -rw-r----- 1 root shadow 1361 Oct 8 2003 shadow.bak
> -rw-r----- 1 root shadow 1859 Mar 11 04:24 shadow.old
>
> In the file listing like below.. It is open to anyone so that doesn't
> explain much. :9
>
> ===============================================================




Mainly replying to point something out here:


Nethack is a game. They aren't "hacking files".


> Hacking Files..
> /etc/opt/gnome/SuSE/Games/TacticStrategy/xnethack.desktop
> /etc/opt/kde2/share/applnk/SuSE/Games/TacticStrategy/xnethack.desktop
> /etc/X11/susewm/AddEntrys/SuSE/Games/Action/nethack.desktop
> /etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/nethack.desktop
> /etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/xnethack.desktop
> /etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.-368.desktop
> /etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.desktop
> /home/choad/ftp/appz/Macromedia_Studio_MX/FreeHand/Goodies/Assets/Templates/WebS
> ite Templates/Snake Shack.FT9
> /home/henry/hacking
> /home/henry/_desktop/replays/hacked.rep
> /home/henry/_desktop/replays/hacked2.rep
> /opt/gnome/share/gnome/distribution-menus/SuSE/Games/TacticStrategy/xnethack.des
> ktop
> /opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jl
> /opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jlc
> /usr/games/nethack
> /usr/games/nethack.d
> /usr/games/nethack.d/nethack.qt
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>

< Previous Next >