Re: Root password changed

From: Chris Barford <C.Barford(at)student.umist.ac.uk>
Date: Mon Jan 06 2003 - 16:31:01 EST

you mention apache running:
"openssl-too-open is a remote exploit for the KEY_ARG overflow in OpenSSL 0.9.6d and older. It will give you a remote shell with the priviledges of the server process (nobody when used against Apache, root against other servers)."

works against apache servers, u dont specify specifically but it would be my guess that this could be the hole in your system.

However there are also BIND exploits out there, don't have a clue about them.

The way to check is see if your apache leaves port 443 open, and if so look at your version of openssl.

As for the logs and no suspicious processes;

The chances are a rootkit could have been installed to hide the hackers movements, or he came in, changed the pass and then left again after using a log cleaner. You can recover logs in various ways, google is always a good one or someone on this list can help more with that no doubt.

Check for odd dates or sizes on ps. A good place to go to see if you have been "rooted" is: www.chkrootkit.org.

My personal tip would be take your computer off the network asap and then do a thorough analysis with it isolated.

Quoting RCS <rcs@flashwave.com>:

> I have no idea how the root password on my FreeBSD 4.0 system was =

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Jan 7 14:32:46 2003