RE: resolved Re: should i publish a list of cracked machines?

From: Jim Mercer []
Sent: Thursday, August 23, 2001 9:39 AM

my suspicions and some things to look for:

- boxes were comprimised using the buffer overflow in
telnetd (speculation)
- my box had a bogus /usr/sbin/nscd (which is not a normal
FreeBSD binary)
- nscd appears to be a hacked sshd, listening on a 14000 series port
- it had its own /etc/ssh_* config files (FreeBSD puts them
in /etc/ssh/ssh_*)
- there was a file in /dev/ptaz which appeared to be DES crypto gunge
- there were a bunch of irc/eggdrop related files in a ".e"
directory of
    one of the user's $HOME

suggestions for looking about:

- do an ls -lta in bindirs, my systems generally have all
/bin /usr/bin files
    with the same timestamp

- do a "du /dev" and look for anomalies
- do a "cd /dev ; ls -l | grep -e-" and look for anomalies
- do a "ls -ltra /" (as well as /usr and /usr/local) and
look for anomalies

Shorter answer ... run tripwire.