hack lesson?

[R Scott Belford]

I guess that I was asking for this, if such a thing is possible.  Some 
of you will laugh and some may be interested.  It's a good story.  This 
morning, a little after  I posted a response about rpm's and webmin, 
someone entered my machine.  It was right as I was being responded to 
and warned about the explicit dangers perl creates.  I obviously should 
have realized this as someone was determined to teach me a lesson by 
damage rather than words.

I noticed around 2:30 this afternoon, when running top, that several 
pid's owned by root had been consuming a lot of processor cycles for 
about 5.25 hours.  They were running /usr/bin/perl.  When I looked at my 
gui process manager, several programs with unfamiliar names were 
running.  I was unable to terminate these by kill -9 pid.  I elected to 
restart my machine.  Typical windoze fix, but I was hoping to stop the 
processes.  Upon restarting, I am unable to get a terminal on the redhat 
box.  It keeps flashing for a second, this disappears.  Someone has put 
the x server in some kind of loop that keeps me from the prompt.  I'd 
log in from my Debian box, but they went in there too.  I log in to it, 
enter a password, and am returned to the login prompt.  At least I get a 
prompt on it.  Unkind but funny.  I ssh in from my windoze box and ps 
-ax shows a  complicated x command running that seems to be causing my 
redhat login difficulties.  Attempts to kill this pid fail as its pid 
number keeps changing.  These are teasing hacks, I know, but I just 
can't fix them (yet.)

So, obviously there is some kind of vulnerability that perl has created 
for me which I was warned about then exploited through.  No harm done, I 
keep backups of my worthless data.  My time is not so valuable that I 
care about reinstalling.  Someone can pat their self on the back for 
it.  What is a shame, though, is that I clearly upset someone reading 
this mailing list earlier who decided to show me how smart they were.  
The coincidence is too uncanny.  Rather than share their knowledge to 
the better of all, they have abused my poor little box.  I guess that 
shows me how much smarter real sysadmins are than newbies.

I have an appetite for humble pie, though, and will only grow wiser from 
this experience.  If this perl vulnerability is in anyway related to 
webmin, then let me be the first to say to be wary of it.  I have no 
certainty of this, though, and would be more wary about spreading fud.  
When I learn what is of value from this hack, I'll let any of you know 
who are interested.  If you have any insights in to what tricks have 
been played here, perhaps you will share them.  I'd love to make 
something good out of this.

scott