On Wednesday 19 July 2006 12:35, Dennis wrote:
> Hi Steffan
>
> No in my situation the user probably first found a ftp account of a
> user which was having a bad password
> than he uploaded the .pl file which is a CGI-TELNET script
> through this script he was able to put a aha.c file (bind.tty) and bind
> in the same folder and together with cgi.php which was a php shell script
> he was able to put the prctl suidseif ecsploit from Julien Tinnes in
> the crontab
> and that was causing a malcious crontab error as the command
> /dev/shm/nice2k not seemed to work
>
> the person entered my system @ 4 different IP addresses using 2 IP
> addresses within some seconds of each other ..
>
> crontab stuff removed
> cron restarted
> removed the user ..
> saved the crack stuff in a non web folder for later usage ;-)
>
> no issues found with chkrootkit ..
>
Suggestion: please consider changing the MODE of the gcc program (compiler)
to 444 (read only) or even 400 which will not totally stop all these attacks,
but will prevent them from being able to natively compile their attack
programs on your server. You just have to remember to change the mode back
if you ever do decide to actually compile programs, but pretty much all "pkg"
packages do not require the compiler.
--
Larry Smith
SysAd ECSIS.NET
sysad (at mark) ecsis.net