[LUAU] Hackers found
Chris Wong
wongc at math.ed.hawaii.edu
Thu Jan 28 00:19:59 PST 1999
On Wed, 27 Jan 1999, Scott Cooley wrote:
> Prompted by complaints of slow net response times at one of my jobsites, I
> investigated their linux mailserver to find out it had been hacked. Some
> luser, as it would seem from another country, had gained root and created
> a couple accounts. One had gid/uid 0 and no password, so he could telnet
> in with no password and be root. The other was a normal user account, and
> in his home dirs were a few packages, namely lrk4, wipe (log wiper), and
> an irc proxy called bnc.
> This lrk4 thingy managed to replace many binaries with "trojaned"
> versions, which give root access to whoever runs them. Programs like
> ls, chfn, chsh, passwd, login, ps, pidof, cron etc.
Standard Rootkit.
> Anyway, I tracked down his source IP and ipfwadmed his subnet out of the
> system til I can do something more permanent. Meanwhile I killed his irc
> program, which brought net bandwidth back up. Fortunately, I made backup
> to CD a few weeks ago, but I got to thinking, whatever he did, he could do
> again the exact same way. I poked around rootshell to try and find what
> exploit he could of used, but there's so many now.
Banning his subnet probably won't do anything because 10 to 1, that site
he broke into to begin with. (Why do I assume it's a he???)
> Does anyone have a suggestion as to how I can prevent this from happening
> again once I restore the backup? What exploit could someone use who
> didn't already have shell access to the box? I'm running RedHat 5.1, and
> (to my knowledge) the box was pretty well secured, i.e. only minimal inetd
> stuff going and no majorly buggy daemons installed. Needless to say, the
> logs were wiped so I can't tell exactly what happened.
I'm going to go out on a limb and say pop-3. The amount of probes I see on
my pop-3 is rather suspicious since I haven't seen any exploits for it.
You might want to use tcp_wrappers to keep the services down to your own
local subnet.
Then again.. you said mail box... probably sendmail :)
More information about the LUAU
mailing list