[luau] RH 9 server hacked -- what went wrong?
R. Scott Belford
sctinc at flex.com
Fri Aug 22 09:47:00 PDT 2003
I have to wonder if, after installing the server, you made certain that
you ran up2date or apt-get (if you installed apt) to update all the
packages. What services did you have running? Was the machine
firewalled?
--scott
On Friday, August 22, 2003, at 09:33 AM, Rob Bootsma wrote:
> Hi all,
>
> I just recently set up a RH 9 sever (less than a week ago), and it has
> already been hacked. I know I'm going to have to reinstall, but I was
> hoping to find out what vulnerability was exploited so it doesn't
> happen
> again next time. I don't think any passwords were cracked. They must
> have used some other known exploit. But which one?
>
> Here's what I know. It looks like they installed some sort of IRC
> relay. It also seems that they tampered with sshd and samba. Some of
> the packages from the rootkit they used include kool.tar.gz,
> psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does
> anyone know what these do? Syslog was also tampered with (this was my
> first clue). Chkrootkit shows ifconfig, login, and pstree as infected.
>
> So my question is, how did they get root? Well, I guess they used this
> rootkit, but how did they manage to install that? Where is the
> vulnerability? If anyone has any suggestions of what to look for
> before
> I wipe out this box, it would be greatly appreciated.
>
> Aloha,
> Rob
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau
>
>
More information about the LUAU
mailing list