[plug] password sniffer - alert

[Denis Brown]

Dear PLUG list members,

UWA's Grahame Bowland has permitted me to forward this.

- - - - - - -
If you are running Linux servers, please perform the following steps. Do
not skip the "cd" commands; they are vital to get around the way this
thing hides itself

1. Run: ls -la /dev/drg
If this directory exists (access it directly, do not rely on the
output of an ls of /dev/) then you may have been compromised.

2. Run: cd /sbin
Run: ls -la telinit
If this is a binary file rather than a symlink, you have almost
certainly been hacked. This advice applies to Debian GNU/Linux systems
and may not apply to other Linux variants, but please check.

The way to fix is to boot with "init=/bin/sh" and replace "/sbin/init"
with the correct "/sbin/init" which will possibly have been renamed to
"/sbin/init.drg". Upon reboot you'll be clean, and in /dev/drg/.sniffer
there will be captured passwords. You need to change analyse this file
ASAP and restrict access to accounts that have been compromised.
- - - - - -

Subsequent comments within UWA suggested that not only Debian is 
vulnerable; several RH installations were mentioned.   Seems a possible 
attack vector was unpatched SSLs.

HTH and thanks to Grahame,
Denis


_______________________________________________
plug mailing list
plug at plug.linux.org.au
http://mail.plug.linux.org.au/cgi-bin/mailman/listinfo/plug