OT: Earthlink Contact - Important Root Hacked
Sorry to bother you all but I am looking for a contact at Earthlink. The IP is under Sprint Advanced Network Services, Altamonte Springs Florida. We have called that contact and shuffled onto Earthlink. The 1-800# to their support line proofed futile. The traditional emails to webmaster@ abuse@ etc have been sent and several phone calls have been made to contact someone responsible to no avail. We would like to contact someone who can remove the exploit that is on one of their machines. It gives the user root access (no password required) and allows you to remote copy an exploit to other machines. Our efforts have lapsed over the past several days. This exploit was used on us and we would like to remove any likelihood of others being compromised. The exploit is in the hands of the people at rootshell. -- Kim Graham, CCNA System Administrator, Client Services
On Fri, 07 Jul 2000 12:46:12 PDT, "K. Graham" <kgraham@ican.net> said:
This exploit was used on us and we would like to remove any likelihood of others being compromised. The exploit is in the hands of the people at rootshell.
Umm.. is this a *new* exploit that the rootshell people have been given, but isn't in general circulation yet? If it's already available at rootshell, you should assume that every script kiddie on the planet has a copy, and start patching your systems. Unless you've been VERY lucky and are one of the first dozen or so machines to have been targeted by a brand-new exploit, removing the copy that's at earthlink is just urinating into the wind. Note - this is *NOT* saying that the Earthlink machine doesn't need cleaning up - just that the *exploit* is almost certainly widespread enough that removal of the one copy won't change the fact it's out there and will be used on others. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Thank you to all that replied. We have been in voice contact with someone that can take care of this. As to whether it is a new or older exploit based questions. We will have to wait until we get confirmation as to the nature of the exploit. -- Kim Graham, CCNA System Administrator, Client Services
On Fri, Jul 07, 2000 at 12:46:12PM -0700, K. Graham wrote:
Sorry to bother you all but I am looking for a contact at Earthlink. The IP is under Sprint Advanced Network Services, Altamonte Springs Florida. We have called that contact and shuffled onto Earthlink. The
Does it reverse lookup to something sprint-hsd.net? If so, it's somebody's DSL connection, and it may or may not be (but probably is) a dynamic IP. I'd nmap it and see what OS it is, and if it's Linux or Unix take a shot at emailing root at that address, maybe you'll get lucky. Then point them at http://www.elug.org, which is the local Linux User's Group in that area, and I'll give 'em a few pointers on firewall setup. If you'd like to email me privately with the IP, feel free.
participants (3)
-
K. Graham -
Shawn McMahon -
Valdis.Kletnieks@vt.edu