got cracked!
J.L.Francois
jlf@magusnet.gilbert.az.us
Sun, 12 Nov 2000 17:48:01 -0700
Don't use wu-ftpd for a while.
Switch to ProFTPD and sleep better at night.
For the holes, look at the RedHat site errata and alerts pages.
JLF Sends...
It seems like on Sun, Nov 12, 2000 at 01:05:26AM -0700, Armin Hartinger scribbled:
Orig Msg> drwxrwxrwx 7 110 203 4096 Nov 4 22:45 .
Orig Msg> drwxr-xr-x 14 110 203 4096 Sep 24 12:04 ..
Orig Msg> -rw-r--r-- 1 armin armin 2326 Sep 25 18:25 apache_pb.gif
Orig Msg> drwxrwxr-x 2 armin armin 4096 Sep 25 18:27 deborah
Orig Msg> drwxrwxrwx 4 armin armin 4096 Oct 10 14:45 dev
Orig Msg> -rw-r--r-- 1 root ftp 1431 Oct 24 20:06 index.html
Orig Msg> drwxrwxrwx 2 armin armin 4096 Nov 11 17:01 kristen
Orig Msg> drwxrwxrwx 3 armin armin 4096 Nov 11 16:08 lauren
Orig Msg> drwxrwxrwx 7 110 203 4096 Aug 16 1999 manual
Orig Msg> -rw-r--r-- 1 root ftp 66 Oct 24 20:04 old.html
Orig Msg> [armin@gateway /www]$
Orig Msg>
Orig Msg> Someone hacked into my little Linux gateway box. He defaced index.html and saved the old one as old.html
Orig Msg> That he appears as root/ftp, is that an indication how he got in?
Orig Msg>
Orig Msg> I had anon. ftp running, using the default one RH 6.2 ships with (wu-2.6.0).
Orig Msg>
Orig Msg> I suppose I have to completely re-setup that box, I just would like to know what hole to close there.
Orig Msg>
Orig Msg> Any ideas?
Orig Msg>
Orig Msg> If anybody wants to see the deface before I fix by box: http://24.221.63.194/
Orig Msg>