got cracked!

[Hawke]

your best bet as far as wu-ftpd is concerned,
upgrade the packages 9and even get the security stuff).

also, in your ftpaccess file, change the check password from
"warn" to "enforce".

also, check to make sure your libs in the lib folder of your
ftp site hasn't been changed as well.

anything else would require more expertise than I currently
have available atm.

Hawke

> Armin Hartinger wrote:
> 
> drwxrwxrwx    7 110      203          4096 Nov  4 22:45 .
> drwxr-xr-x   14 110      203          4096 Sep 24 12:04 ..
> -rw-r--r--    1 armin    armin        2326 Sep 25 18:25 apache_pb.gif
> drwxrwxr-x    2 armin    armin        4096 Sep 25 18:27 deborah
> drwxrwxrwx    4 armin    armin        4096 Oct 10 14:45 dev
> -rw-r--r--    1 root     ftp          1431 Oct 24 20:06 index.html
> drwxrwxrwx    2 armin    armin        4096 Nov 11 17:01 kristen
> drwxrwxrwx    3 armin    armin        4096 Nov 11 16:08 lauren
> drwxrwxrwx    7 110      203          4096 Aug 16  1999 manual
> -rw-r--r--    1 root     ftp            66 Oct 24 20:04 old.html
> [armin@gateway
> /www]$
> 
> Someone hacked into my little Linux gateway box. He defaced index.html
> and saved the old one as old.html
> That he appears as root/ftp, is that an indication how he got in?
> 
> I had anon. ftp running, using the default one RH 6.2 ships with
> (wu-2.6.0).
> 
> I suppose I have to completely re-setup that box, I just would like
> to know what hole to close there.
> 
> Any ideas?
> 
> If anybody wants to see the deface before I fix by box:
> http://24.221.63.194/
> 
> 

-- 
Make a few extra $$$.
Join http://www.processtree.com/?sponsor=29027

The rest of this signature is currently out of service.