On Mon, 03 Nov 2003 10:34:41 -0800, a-wall wrote:

Uh, after 10 years administering Unix and Linux, you should surely be
aware that the IP you mentioned is a multicast address.

--
Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com

Hi, I have been in the business of administration for unix and Linux for
almost ten years now.
My laptop was hacked and in such a way that aide a free version of
tripwire was bypassed by a lib which was ld preloaded effecting the file
system. I was testing WIFI and my Iptables firewall was messed up for a
day.

I believe the attack originated from a #gentoo-sparc channel but I nuked
all my logs in a hurry to get the system back up.

I did a lsattr and /bin/ps /bin/netstat among other binaries had been
changed to Immutable and md5sums didn't match the ones on record.

I have most of the hacked system on my nfs server and am bringing it
backup to watch traffic.

the trojan was sending data to ip address 224.0.0.251 on port 5353
I cannot find who owns this IP address and it could be a decoy.

I replaced these to attempt to track down the hackers and the lib
dissapeared but i still have hacked bonaries /bin/login etc on tape.

I should have just left it alone so i didnt inadvertantly destroy
evidence.

When I asked for help from the second in command at Gentoo Linux I
received none and the following is what i have so far.

I and my legal aide came in as botched and themp/th3mp in this
conversation.
with seemant the second in command at gentoo.

a-wall <a-wall@qwest.net> wrote in
news:wexpb.169$9U4.29775@news.uswest.net:


I thought Linux was completely safe. at least, that's what certain people
would have you believe.

* donutbandit <none@none.com>:
Only completly safe box is the one still in the packing box and you know
it. Or maybe a standalone that's never on any network of any sort.

Jason

On 3 Nov 2003 19:12:18 GMT, donutbandit <none@none.com> wrote:

Why would you say that?

If a computer is networked, or even if someone has physical access to
it, then it can't be truly regarded as safe.

Security isn't something that can be narrowed down to just the
Operating System.

Most Operating Systems straight out of the box aren't secure (some
more so than others).

The reality is that there are all sorts of things that must be taken
into consideration in regards to computer security, such as what
services you're running on the box, what you're users are allowed to
do, how well you keep the box patched etc etc etc.

It's also important to realise that there is a difference between an
Operating System being exploited, and, for instance, a daemon running
on top of that Operating System.

An example of this, would be say, Apache. Just because Apache has a
vulnerability and can be open to exploit, does not mean that Linux was
at fault (this is something that's often overlooked by Micro$oft
biased media reports).

And that's something a lot of people seem to forget.

Having said that, this is more true regarding *nix boxes than Windows
boxes, as Micro$oft usually develops the daemons listening on top of
the Operating System as well ie IIS.

Obviously, this isn't always the case as well, as there are third
parties that develop daemons for Windows as well.

Dazz

On Mon, 03 Nov 2003 10:34:41 -0800, a-wall <a-wall@qwest.net> wrote:

<snipped>

<snipped>

Why would you expect them to help you?

Because you believe the attack originated from a #gentoo-sparc
channel?

If that's the case, then I'm not surprised that they haven't contacted
you.

Dazz

Sponge wrote:
Yes, I know its a multicast address I still have to troll a little for
more information. As to validity of my logs If I where whome ever was
questioning the validity of them try to get the valid logs from
gentoo-sparc.

and if you use the word Uh you must be 15 correct ?