On Wed, 2004-08-25 at 17:32, Richard Verwayen wrote: > The attackers installed some software and irc-bots and tried to use this > host for testing other computers, thats not the point. I would like to > know where's the weak point in the system? As the system was updates on > a daily base! The only known weakness were these two accounts! How do you know what they brought in? Do you have shell history files available? Care to share them with us? Shell history should (if left over) should give a clue to not just what they brought in, but also how they used it. That will answer your question as to what local root exploit they used. If you don't have shell history files left over, try repeating the experiment with .history hard-linked to something like .opera/adprefs.ini (create other .opera/ files as cover). Once they clean up and delete the .history file, you should be left with a copy in .opera/adprefs.ini. (Depending on the clue level of the script kiddie he may not find the linked copy). If you do have .history content, or other log info, pleas share it here with us. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part