[ILUG] Possible system compromise
Enda
enda at unison.ie
Wed Jan 23 13:03:24 GMT 2002
> I had a problem this morning with a box running SuSE 6.4. It's in a
> company's DMZ and for some reason it was rebooted and networking did not
> start properly. Investigation (of the remote controlled person kind, given
> that the machine was off the air) eventually revealed that the network
start
> script /etc/rc.d/init.d/network was not the correct SuSE script but rather
> was a RedHat version.
suse-security-subscribe at suse.com
subscribe and post your question here, there are some dedicated security
nuts there that answer about 50 of these type questions within minutes every
week.
you'll almost certainly be referred to this as well :
http://www.susesecurity.com/faq/
> This is obviously a little strange and none of those invloved in managing
> the machine know anything about it so I'm wondering could it be part of
some
> rootkit or other. It sounds a very strange to me for a rootkit to do i.e.
to
> modify a script which won't be run for a long time but maybe it's a way of
> ensuring that whatever backdoors might have been installed stay installed
> but OTOH it does sound like a typical rootkit behaviour i.e. to assume
that
> the box being cracked is running RH. Does the behaviour I described ring a
> bell with anybody ?
>
>
>
> Niall
>
> --
> Irish Linux Users' Group: ilug at linux.ie
> http://www.linux.ie/mailman/listinfo/ilug for (un)subscription
information.
> List maintainer: listmaster at linux.ie
>
More information about the ILUG
mailing list