Hosting Provided By

Re: hpd, afb, sc, and sn

From: gminick <gminick(at)underground.org.pl>
Date: Sat Dec 21 2002 - 05:53:33 EST

On Fri, Dec 20, 2002 at 02:11:31PM -0700, Gordon Chamberlin wrote:
> I found suspicious looking files on a Redhat 7.1 Linux server earlier
Yes, you've been cracked, but it's hard to say what toolkit was used since I've never heard of any that's using binaries such as afb, sn or sc. Can you provide these files to us (put it on WWW or sth like that) ?

> namp reports the following ports open:
[...]
> 8009/tcp open ajp13

> Anyone know about this hack, what afb does and/or how they usually get
It's important to determine what services you've been providing before attack. From nmap's output we can say that vulnerabilities (for example) in sunrpc or your ssh server or DNS server were used to get in.

-- 
[ ] gminick (at) underground.org.pl  
http://gminick.linuxsecurity.pl/ [ ]
[ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Mon Dec 23 11:48:24 2002

This message: [ Message body ]
Next message: Greg Barnes: "Re: hpd, afb, sc, and sn"
Previous message: Ron Gedye: "Compromised System RH7.3-ICMP-STP-DoS"
In reply to Gordon Chamberlin: "hpd, afb, sc, and sn"
Next in thread: Greg Barnes: "Re: hpd, afb, sc, and sn"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:55 EDT