On Tue, 27 Apr 1999, Matthias Schmitt wrote:
> Hello,
>
> this night we discovered here a strange behaviour on our servers. Somebody
> managed to get access to the UNIX shell using the 'postgres' db
> administrator account. He logged in some machines with a single try ! The
> password was not part of any dictionary. He tried some other accounts,
> without success. Under the user postgres he installed an 'eggdrop' program
> on the machine, implementing an IRC server.
>
> If you want to look on your servers, look for an ".elm/..." directory in
> the postgres home directory. You may discover too some processes named
> "./..." or "../ -m" running under the postgres user.
>
> Is there any chanche, that the postgres database contains a bug giving
> shell access ? Is there any chance to trace what happens on the postgres
> port ?
Is it possible the intruder guessed the password on the postgres
administrator's account? Or perhaps a script run via mail?
Vince.
--
==========================================================================
Vince Vielhaber -- KA8CSH email: vev@michvhf.com flame-mail: /dev/null # include <std/disclaimers.h>
TEAM-OS2 Online Campground Directory http://www.camping-usa.com Online Giftshop Superstore
http://www.cloudninegifts.com
==========================================================================
