We have not been able to determine how a hacker was eble to crack one of
our hosts
and deposit binaries on all the hosts in our network (all hosts are FC3).
A tripwire report shows the following binaries as being modified. We
think this is part
of "ethereal," an IP packet sniffer. Because so many files have been
modifed (these are just
the ones in /usr/bin), we decided to wipe the system and install FC4.
chkrootkit.0.45 sometimes
reports that an LKM trojan has been installed, but it does not report a
problem each time it is
invoked.
This would be a hack to watch out for, as a sniffer on a web host may
have been put there presumably to capture data in submitted forms (like
credit card numbers).
Suggestions as how to prevent this sort of thing would be entertained!
We've already done the
usual things like disallow telnet, use the soft firewall that comes with
FC3, no anonymous FTP,
no known bad php apps (like phpBB).
Modified:
"/usr/bin"
"/usr/bin/411toppm"
"/usr/bin/asciitopgm"
"/usr/bin/atktopbm"
"/usr/bin/bioradtopgm"
"/usr/bin/bmptopnm"
"/usr/bin/brushtopbm"
"/usr/bin/cameratopam"
"/usr/bin/cmuwmtopbm"
"/usr/bin/ddbugtopbm"
"/usr/bin/escp2topbm"
"/usr/bin/eyuvtoppm"
"/usr/bin/fiascotopnm"
"/usr/bin/fitstopnm"
"/usr/bin/fstopgm"
"/usr/bin/g3topbm"
"/usr/bin/gemtopnm"
"/usr/bin/giftopnm"
"/usr/bin/gouldtoppm"
"/usr/bin/hdifftopam"
"/usr/bin/hipstopgm"
"/usr/bin/icontopbm"
"/usr/bin/ilbmtoppm"
"/usr/bin/imgtoppm"
"/usr/bin/infotopam"
"/usr/bin/jbigtopnm"
"/usr/bin/jpeg2ktopam"
"/usr/bin/jpegtopnm"
"/usr/bin/leaftoppm"
"/usr/bin/lispmtopgm"
"/usr/bin/macptopbm"
"/usr/bin/mdatopbm"
"/usr/bin/mgrtopbm"
"/usr/bin/mrftopbm"
"/usr/bin/mtvtoppm"
"/usr/bin/neotoppm"
"/usr/bin/palmtopnm"
"/usr/bin/pamarith"
"/usr/bin/pamchannel"
"/usr/bin/pamcomp"
"/usr/bin/pamcut"
"/usr/bin/pamdeinterlace"
"/usr/bin/pamdice"
"/usr/bin/pamditherbw"
"/usr/bin/pamedge"
"/usr/bin/pamendian"
"/usr/bin/pamenlarge"
"/usr/bin/pamfile"
"/usr/bin/pamflip"
"/usr/bin/pamfunc"
"/usr/bin/pamgauss"
"/usr/bin/pamlookup"
"/usr/bin/pammasksharpen"
"/usr/bin/pamoil"
"/usr/bin/pamperspective"
"/usr/bin/pampop9"
"/usr/bin/pamscale"
"/usr/bin/pamseq"
"/usr/bin/pamsharpmap"
"/usr/bin/pamsharpness"
"/usr/bin/pamslice"
"/usr/bin/pamstack"
"/usr/bin/pamstereogram"
"/usr/bin/pamstretch"
"/usr/bin/pamsumm"
"/usr/bin/pamsummcol"
"/usr/bin/pamtodjvurle"
"/usr/bin/pamtohdiff"
"/usr/bin/pamtohtmltbl"
"/usr/bin/pamtojpeg2k"
"/usr/bin/pamtopfm"
"/usr/bin/pamtopnm"
"/usr/bin/pamtotga"
"/usr/bin/pamtouil"
"/usr/bin/pbmclean"
"/usr/bin/pbmlife"
"/usr/bin/pbmmake"
"/usr/bin/pbmmask"
"/usr/bin/pbmpage"
"/usr/bin/pbmpscale"
"/usr/bin/pbmreduce"
"/usr/bin/pbmtext"
"/usr/bin/pbmtextps"
"/usr/bin/pbmto10x"
"/usr/bin/pbmto4425"
"/usr/bin/pbmtoascii"
"/usr/bin/pbmtoatk"
"/usr/bin/pbmtobbnbg"
"/usr/bin/pbmtocmuwm"
"/usr/bin/pbmtodjvurle"
"/usr/bin/pbmtoepsi"
"/usr/bin/pbmtoepson"
"/usr/bin/pbmtoescp2"
"/usr/bin/pbmtog3"
"/usr/bin/pbmtogem"
"/usr/bin/pbmtogo"
"/usr/bin/pbmtoibm23xx"
"/usr/bin/pbmtoicon"
"/usr/bin/pbmtolj"
"/usr/bin/pbmtoln03"
"/usr/bin/pbmtolps"
"/usr/bin/pbmtomacp"
"/usr/bin/pbmtomatrixorbital"
"/usr/bin/pbmtomda"
"/usr/bin/pbmtomgr"
"/usr/bin/pbmtomrf"
"/usr/bin/pbmtonokia"
"/usr/bin/pbmtopgm"
"/usr/bin/pbmtopi3"
"/usr/bin/pbmtopk"
"/usr/bin/pbmtoplot"
"/usr/bin/pbmtoppa"
"/usr/bin/pbmtopsg3"
"/usr/bin/pbmtoptx"
"/usr/bin/pbmtowbmp"
"/usr/bin/pbmtox10bm"
"/usr/bin/pbmtoxbm"
"/usr/bin/pbmtoybm"
"/usr/bin/pbmtozinc"
"/usr/bin/pbmupc"
"/usr/bin/pc1toppm"
"/usr/bin/pcxtoppm"
"/usr/bin/pfmtopam"
"/usr/bin/pgmabel"
"/usr/bin/pgmbentley"
"/usr/bin/pgmcrater"
"/usr/bin/pgmenhance"
"/usr/bin/pgmhist"
"/usr/bin/pgmkernel"
"/usr/bin/pgmminkowski"
"/usr/bin/pgmmorphconv"
"/usr/bin/pgmnoise"
"/usr/bin/pgmramp"
"/usr/bin/pgmtexture"
"/usr/bin/pgmtofs"
"/usr/bin/pgmtolispm"
"/usr/bin/pgmtopbm"
"/usr/bin/pgmtopgm"
"/usr/bin/pgmtoppm"
"/usr/bin/pi1toppm"
"/usr/bin/pi3topbm"
"/usr/bin/pjtoppm"
"/usr/bin/pktopbm"
"/usr/bin/pngtopnm"
"/usr/bin/pnmalias"
"/usr/bin/pnmcat"
"/usr/bin/pnmcolormap"
"/usr/bin/pnmcomp"
"/usr/bin/pnmconvol"
"/usr/bin/pnmcrop"
"/usr/bin/pnmcut"
"/usr/bin/pnmdepth"
"/usr/bin/pnmgamma"
"/usr/bin/pnmhisteq"
"/usr/bin/pnmhistmap"
"/usr/bin/pnmindex"
"/usr/bin/pnminvert"
"/usr/bin/pnmmontage"
"/usr/bin/pnmnlfilt"
"/usr/bin/pnmnorm"
"/usr/bin/pnmpad"
"/usr/bin/pnmpaste"
"/usr/bin/pnmpsnr"
"/usr/bin/pnmremap"
"/usr/bin/pnmrotate"
"/usr/bin/pnmscale"
"/usr/bin/pnmscalefixed"
"/usr/bin/pnmshear"
"/usr/bin/pnmsmooth"
"/usr/bin/pnmsplit"
"/usr/bin/pnmstitch"
"/usr/bin/pnmtile"
"/usr/bin/pnmtoddif"
"/usr/bin/pnmtofiasco"
"/usr/bin/pnmtofits"
"/usr/bin/pnmtojbig"
"/usr/bin/pnmtojpeg"
"/usr/bin/pnmtopalm"
"/usr/bin/pnmtopclxl"
"/usr/bin/pnmtopng"
"/usr/bin/pnmtops"
"/usr/bin/pnmtorast"
"/usr/bin/pnmtorle"
"/usr/bin/pnmtosgi"
"/usr/bin/pnmtosir"
"/usr/bin/pnmtotiff"
"/usr/bin/pnmtotiffcmyk"
"/usr/bin/pnmtoxwd"
"/usr/bin/ppm3d"
"/usr/bin/ppmbrighten"
"/usr/bin/ppmchange"
"/usr/bin/ppmcie"
"/usr/bin/ppmcolormask"
"/usr/bin/ppmcolors"
"/usr/bin/ppmdim"
"/usr/bin/ppmdist"
"/usr/bin/ppmdither"
"/usr/bin/ppmflash"
"/usr/bin/ppmforge"
"/usr/bin/ppmglobe"
"/usr/bin/ppmhist"
"/usr/bin/ppmlabel"
"/usr/bin/ppmmake"
"/usr/bin/ppmmix"
"/usr/bin/ppmntsc"
"/usr/bin/ppmpat"
"/usr/bin/ppmrelief"
"/usr/bin/ppmrough"
"/usr/bin/ppmshift"
"/usr/bin/ppmspread"
"/usr/bin/ppmtoacad"
"/usr/bin/ppmtoarbtxt"
"/usr/bin/ppmtobmp"
"/usr/bin/ppmtoeyuv"
"/usr/bin/ppmtogif"
"/usr/bin/ppmtoicr"
"/usr/bin/ppmtoilbm"
"/usr/bin/ppmtoleaf"
"/usr/bin/ppmtolj"
"/usr/bin/ppmtomitsu"
"/usr/bin/ppmtompeg"
"/usr/bin/ppmtoneo"
"/usr/bin/ppmtopcx"
"/usr/bin/ppmtopgm"
"/usr/bin/ppmtopi1"
"/usr/bin/ppmtopict"
"/usr/bin/ppmtopj"
"/usr/bin/ppmtopjxl"
"/usr/bin/ppmtoppm"
"/usr/bin/ppmtopuzz"
"/usr/bin/ppmtorgb3"
"/usr/bin/ppmtosixel"
"/usr/bin/ppmtoterm"
"/usr/bin/ppmtowinicon"
"/usr/bin/ppmtoxpm"
"/usr/bin/ppmtoyuv"
"/usr/bin/ppmtoyuvsplit"
"/usr/bin/ppmtv"
"/usr/bin/ppmwheel"
"/usr/bin/psidtopgm"
"/usr/bin/pstopnm"
"/usr/bin/qrttoppm"
"/usr/bin/rasttopnm"
"/usr/bin/rawtopgm"
"/usr/bin/rawtoppm"
"/usr/bin/rgb3toppm"
"/usr/bin/rletopnm"
"/usr/bin/sbigtopgm"
"/usr/bin/sgitopnm"
"/usr/bin/sirtopnm"
"/usr/bin/sldtoppm"
"/usr/bin/spctoppm"
"/usr/bin/spottopgm"
"/usr/bin/sputoppm"
"/usr/bin/tgatoppm"
"/usr/bin/thinkjettopbm"
"/usr/bin/tifftopnm"
"/usr/bin/wbmptopbm"
"/usr/bin/winicontoppm"
"/usr/bin/xbmtopbm"
"/usr/bin/ximtoppm"
"/usr/bin/xpmtoppm"
"/usr/bin/xvminitoppm"
"/usr/bin/xwdtopnm"
"/usr/bin/ybmtopbm"
"/usr/bin/yuvsplittoppm"
"/usr/bin/yuvtoppm"
"/usr/bin/zeisstopnm"
