[LUAU] Hackers found

[Scott Cooley]

Prompted by complaints of slow net response times at one of my jobsites, I
investigated their linux mailserver to find out it had been hacked.  Some
luser, as it would seem from another country, had gained root and created
a couple accounts.  One had gid/uid 0 and no password, so he could telnet
in with no password and be root.  The other was a normal user account, and
in his home dirs were a few packages, namely lrk4, wipe (log wiper), and
an irc proxy called bnc.  This lrk4 thingy managed to replace many
binaries with "trojaned" versions, which give root access to whoever runs
them.  Programs like ls, chfn, chsh, passwd, login, ps, pidof, cron etc.

Anyway, I tracked down his source IP and ipfwadmed his subnet out of the
system til I can do something more permanent.  Meanwhile I killed his irc
program, which brought net bandwidth back up.  Fortunately, I made backup
to CD a few weeks ago, but I got to thinking, whatever he did, he could do
again the exact same way.  I poked around rootshell to try and find what
exploit he could of used, but there's so many now.

Does anyone have a suggestion as to how I can prevent this from happening
again once I restore the backup?  What exploit could someone use who
didn't already have shell access to the box?  I'm running RedHat 5.1, and
(to my knowledge) the box was pretty well secured, i.e. only minimal inetd
stuff going and no majorly buggy daemons installed.  Needless to say, the
logs were wiped so I can't tell exactly what happened.

thanks in advance,
scott