Firewalls: Re: devnull

Firewalls
(October 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: devnull
From:	somebody @ tempest . ashd . com
Date:	Thu, 24 Oct 1996 00:17:48 -0500 (CDT)
To:	uhaas @ tsg-atl . com
Cc:	Lars_Viding <viding @ noc . dn . se_>, firewalls @ GreatCircle . COM
In-reply-to:	<862563CC:005B366D . 00 @ atlanta . tsg-atl . com>

On Wed, 23 Oct 1996 uhaas @
 tsg-atl .
 com wrote:

> 
> 
> I have a friend that owns an ISP that was recently broken in to and they
> linked a lot of the security logs (in Lynux) to /dev/null. Is it possible
> that someone broke in some other way and was trying to link some other file
> to /dev/null but had a typo?
> 
	I am going to have to say that your ISP was using Linux probably
and the offender used t00lk_t to do this. Tell your ISP to cross verify
MD5 Signatures for /bin/login,/bin/bash,/usr/bin/find,/usr/sbin/tcpd and
might as well at your libc.so.{4,5} while you are at it. After he has done
do find / -perm -6000 and after he has found all the setuid programs
examine them and if any are shell scripts add "PATH=/usr/bin:/bin" and
"IFS=" and also get rid of stuff that is not need to be setuid.

						Carlos

References:

Re: devnull
From: uhaas @ tsg-atl . com

Indexed By Date	Previous:	Re: SecurID algorithm??? From: Chris Liljenstolpe <cds @ io . com>
Indexed By Date	Next:	IP-->Person Translation From: David Kennedy <76702 . 3557 @ CompuServe . COM>
Indexed By Thread	Previous:	Re: devnull From: peter @ baileynm . com (Peter da Silva)
Indexed By Thread	Next:	Firewall MIB being developed, Ready or Not From: "Philip C. Hyland" <pchyland @ uranus . aitc . rest . tasc . com>