RootPrompt.org: My experience with being crackedJul 19, 2000, 11:44 (1 Talkback[s])
(Other stories by Tyler)
"About 9 months ago I started doing security consulting work for my ISP. In exchange for free internet access, I would look over their machines and check for security flaws, cracked accounts, etc. They had a pretty typical setup for an ISP. The webservers were running Red Hat and Apache, the email server was an NT machine running Imail and their two DNS servers were running Red Hat and OpenBSD."
"The first machine I had access to was a webserver/production machine running Red Hat 5.0. The machine was used to write CGI programs for their clients and to test the programs out."
"When I first got on the machine, everything looked normal except for the logs. For some reason, utmp and wtmp looked like they had been corrupted. Whenever I would issue a 'who' or 'last' command, I would get garbage back. I suspected a trojan program, especially after the files were zeroed and the output from the programs was still corrupted."