[ale] Alas! At long last I've been hacked.
Byron A Jeff
byron at cc.gatech.edu
Sun Feb 2 11:21:57 EST 2003
> Byron A Jeff said:
> > After nearly 4 years of near continuous connection to the net via cable
> > modem my Linux based internet gateway has been hacked. I found a rootkit
> > and a inetd backdoor giving the attacker direct remote root access.
> Could you share how you discovered the rootkit? I'd be interested in
> hearing how you stumbled across it.
Simple. I couldn't log in. So after bringing up the machine in single user
I checked the date of the login program and it indicated that it had been
updated in the last few days. Since the machine was installed almost 4
years ago, that was a big red flag.
It turns out they wern't very tidy. The rootkit was right in the /bin directory
and the inetd entry right at the bottom of the /etc/inetd.conf file.
The truth of the matter was that I didn't use the machine very often, if they
had left the ability for me to continue to log in, I probably wouldn't have
found it at all.
Ale mailing list
Ale at ale.org
More information about the Ale