Thanks for your helpful info! I thought I would give you an update. My system was hacked. I spent the better part of last evening purging the intruder. He gave himself a lot of back doors, some I probably didn't find, but as best as I can tell he: - installed a bunch of scripts in /dev/.lib (which he created). Including such names as hack.sh and probe.sh. He was looking for other machines with the same weekness as mine. - setup two accounts for himself, one with root privileges, of course. - Added two entries to inetd.conf, one that runs a shell and the other ran a program he installed in /sbin. - installed a bunch of stuff in /tmp Anyway, to be safe I reinstalled the system and patched bind. Seth Dave Sherohman wrote: > > On Thu, Jul 19, 2001 at 02:10:47PM -0500, Seth Bernsen wrote: > > With this message I'm sure to unleash a maelstrom of critisism, but here > > goes anyway. I have a RH6.2 machine hooked up on the internet. It's > > pretty much configured out of the box, no patches. > > Ouch... How old is 6.2? (Aren't they on 7.1 now? Or was that just my > imagination?) > > > >Please keep me aprised of any actions taken against this offender. I find > > >this matter to be serious and would appreciate something being done in an > > >expedient manner. > > Based on the provided information, he's nuts. Unless he has logs showing > that a specific exploit was attempted, there's no evidence that it wasn't > just a legitimate, but misdirected, DNS request. > > > My question is, what is a DNS PORT PROBE? Does that just mean that a > > program requested service of his computer on port number 53? > > Probably. > > > If so, > > what's so wrong with that? > > Nothing. > > > Also, does the fact that this request came > > from my computer mean someone has broken in and is attempting > > connections from my computer? > > No. DNS uses UDP, which makes is very easy to forge a source address. > However, if I were you, I'd take a hard look at the system to see > whether there is any evidence of intrusion, then upgrade to the lastest > version of $DISTRO and apply all available security patches. No sense > in leaving the door wide open. > > -- > It's as if we outlawed cars on the principle that they could be used > to help crooks escape from bank robberies. - Dan Gillmore on the DMCA > _______________________________________________ > tclug-list mailing list > tclug-list at mn-linux.org > https://mailman.mn-linux.org/mailman/listinfo/tclug-list -- Seth Bernsen V-CPU Engineer Innoveda, Inc. Phone: 651-765-2252 Fax: 651-765-2205 http://www.innoveda.com