[luau] RH 9 server hacked -- what went wrong?

[Rob Bootsma]

Hi all,

I just recently set up a RH 9 sever (less than a week ago), and it has
already been hacked.  I know I'm going to have to reinstall, but I was
hoping to find out what vulnerability was exploited so it doesn't happen
again next time.  I don't think any passwords were cracked.  They must
have used some other known exploit.  But which one?

Here's what I know.  It looks like they installed some sort of IRC
relay.  It also seems that they tampered with sshd and samba.  Some of
the packages from the rootkit they used include kool.tar.gz,
psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others).  Does
anyone know what these do?  Syslog was also tampered with (this was my
first clue).  Chkrootkit shows ifconfig, login, and pstree as infected.

So my question is, how did they get root?  Well, I guess they used this
rootkit, but how did they manage to install that?  Where is the
vulnerability?  If anyone has any suggestions of what to look for before
I wipe out this box, it would be greatly appreciated.

Aloha,
Rob