On 28 Aug 2005 at 17:43, Webmaster wrote: > We have not been able to determine how a hacker was eble to crack one > of our hosts and deposit binaries on all the hosts in our network (all > hosts are FC3). > > A tripwire report shows the following binaries as being modified. We > think this is part of "ethereal," an IP packet sniffer. Because so > many files have been modifed (these are just the ones in /usr/bin), we > decided to wipe the system and install FC4. chkrootkit.0.45 sometimes > reports that an LKM trojan has been installed, but it does not report > a problem each time it is invoked. > > This would be a hack to watch out for, as a sniffer on a web host may > have been put there presumably to capture data in submitted forms > (like credit card numbers). > > Suggestions as how to prevent this sort of thing would be entertained! > We've already done the usual things like disallow telnet, use the > soft firewall that comes with FC3, no anonymous FTP, no known bad php > apps (like phpBB). > > Modified: > "/usr/bin" > "/usr/bin/411toppm" etc. > Aren't those binaries all from netpbm, which just got an update? Could they have been changed by up2date automagically?
