1/23/00 9:30am Eric S. complained of email being broken. 10am I logged in and noted /var/log was empty. /etc/inetd.conf was owned: -rwxr-xr-x 1 509 dialout 3376 Jan 23 19:24 inetd.conf It had things like: shell stream tcp nowait root /usr/sbin/tcpd in.rshd login stream tcp nowait root /usr/sbin/tcpd in.rlogind telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd telnetd stream tcp nowait root /usr/sbin/tcpd in.telnetd (date is on that inetd listing above wrong, I already edited it it...) .bash_history is symlinked to /dev/null in root's home! lrwxrwxrwx 1 root ftp 9 Jan 23 12:47 .bash_history -> /dev/null Here is a good 'ls'. Breaking was at 'Jan 23 12:47'. find is acting funny.... not much is being returned, and it is fast! Let's try running so 'ls -l' commands: -rwxr-xr-x 1 509 dialout 138288 Nov 3 05:58 /usr/bin/dir -rwxr-xr-x 1 509 dialout 101924 Nov 3 05:58 /usr/bin/du -rwxr-xr-x 1 509 dialout 52984 Nov 3 05:58 /usr/bin/find -rwxr-xr-x 1 509 dialout 9712 Nov 3 05:58 /usr/bin/killall -rwxr-xr-x 1 509 dialout 32281 Nov 3 05:58 /usr/bin/pstree -rwxr-xr-x 1 509 dialout 47604 Nov 3 05:58 /usr/bin/top -rwxr-xr-x 1 509 dialout 138289 Nov 3 05:58 /usr/bin/vdir We have patched files! -rwxr-xr-x 1 509 dialout 71315 Dec 24 20:34 /bin/login -rwxr-xr-x 1 509 dialout 138283 Nov 3 05:58 /bin/ls -rwxr-xr-x 1 509 dialout 30968 Nov 3 05:58 /bin/netstat -rwxr-xr-x 1 509 dialout 28952 Nov 3 05:58 /bin/ps -rwxr-xr-x 1 509 dialout 14201 Dec 24 20:39 /bin/terminal okay.... I can't see what is running because ps is down. Funny, they didn't patch ls very well ;) I killed inetd... (I susspect the ftpd let them in) /etc/passwd: -rw-r--r-- 1 root root 1269 Jan 23 12:47 passwd -rw-r--r-- 1 root root 1192 Jan 19 08:22 passwd- -rw-r--r-- 1 root root 1187 Jan 19 08:39 passwd.OLD -r-------- 1 root root 1124 Jan 23 12:47 shadow -r-------- 1 root root 1043 Jan 19 08:25 shadow- -r-------- 1 root root 968 Jan 15 21:01 shadow.old -r-------- 1 root root 968 Jan 14 23:33 shadow.prerudy diff shadow.prerudy shadow 1c1 < root:$1$tJuuLKcS$1Q9tmgSBwBp1.XkzO69.B.:11116:0:99999:7:-1:-1:134539268 --- > root:$1$J6IJDQi4$bMDS68OpaSz3gvKeUDRkV0:11337:0:99999:7:-1:-1:134540356 30c30,33 < rudy:$1$VVtTrz5Z$rdWUjxzwvBKKClBWCrde31:11336:0:99999:7:-1:-1:134540308 --- > rudy:$1$SMUSlPDA$dFxuBJ.MdezpGNZBWQ6m3/:11337:0:99999:7:-1:-1:134540356 > flipftp:$1$.6MfDXJD$ZStUN1Kiu/bdGFUNJC2CZ1:11341:0:99999:7:-1:-1:134540364 > lpd:6NUq4mLTdgX6Y:11235::99999::::135640292 > admin:pl4eLhj3jNRos:0:0::/:/bin/bash lpd and admin are 0wn3d! killed accounts. 2 31337 strings /bin/login [snip] $Id: getpass.c,v 1.10 1999/08/27 19:02:51 marekm Exp $ GETPASS_ASTERISKS /dev/tty $Id: gshadow.c,v 1.6 1998/04/02 21:51:43 marekm Exp $ /etc/gshadow $Id: port.c,v 1.3 1997/12/07 23:26:54 marekm Exp $ /etc/porttime $Id: pwauth.c,v 1.10 1999/08/27 19:02:51 marekm Exp $ Password: LOGIN_STRING kohhokk /dev/own ------------------------ Username: %s Password: %s $Id: fputsx.c,v 1.5 1999/06/07 16:40:44 marekm Exp $ /bin/sh /bin/sh /etc/login.defs Let's fix some RPMs. I had to run 'chattr -s -S -u -c -a -d -A -i FILENAME' for each file to erase it. find ls du vdir dir netstat ftp.redhat.com cd redhat/redhat-6.2/i386/RedHat/RPMS get .... rpm -i procps-2.0.6-5.i386.rpm --force etc. --------------------- What was running? nothing unusuall... there was a /rk and /rk/... directory.