got cracked, part II was: Re: got cracked!

Hawke proudhawk19021@home.com
Mon, 13 Nov 2000 12:11:36 -0700 

ok,
given the type of "break in" it looks like a rootkit was 
also installed. keep the machine around as long as possible
until you get the other one set up.

I would highly recommend that you use something other than
redhat 7.0 though (to many security joles and other "bugs
to be considered reliable). other systems that offer greater
security include: debian, caldera and openBSD/freeBSD (the last is
generally secure enough for most users and can be enhanced for
enterprise usage security as well).

also, were you running telnet deamon on your system? if so, thats 
a way in right there. 

Also, there appears to be something wrong with your e-mail client
(the html you are sending to the list causes my netscape to
crash out (self terminate) upon hitting the reply to button


*** for the rest of the list ***
I have a couple of security related questions I'd like answered.
1. how can I regulate programs like "top" so that they don't show
every process running under the sun when a user (not root) calls it?
2. are there any programs in the /usr/* hiararchy that I shoud chmod
as u-x?

Hawke


"Armin Hartinger" <armin@pctechware.com> wrote on 
13 November, 2000 at 01:15 hours:

>Ok an update on my little adventure:
> 
>I mailed him, no reply.
> 
>I dug up another harddrive on which I will set up a new Linux 
>and meanwhile I can plug in the old "corrupted" hdd to keep 
>the show running before I finalize the new setup. Currently 
>I'm playing around with RH7, but the memo from the GCC developers 
>stating that RH7's gcc is only a development version makes me a 
>little uneasy about it. What's the scoop?
in answer to this question: redhat included an unstable cvs snapshot
of the gcc compiler when they shipped redhat 7. The reasons for this
are many and varied (mostly conjecture) but one good reason was
that the new snapshop has capabilities with the new ABI engine.
Given this, when gcc finally finalizes their gcc revision, redhat will
have to revamp their system yet again (as the new gcc will have new
capabilities and may not be entirely compatible with older versions)

> 
>When I set up that box originally, I figured "well, who would 
>want to do something with it, it's just a plain gateway box?". 
>But over the months it grew, I put on apache, php, mysql, GnuPG, 
>SMB and used it as development server for my sidejobs. Also I 
>set up subdomains for my kids and what not... now I have to set 
>it all up again and it's a royal PITA.
> 
>I plan to run too many services on it to be really secure, but 
>I will nevertheless tighten things up a bit. FTP will go for 
>sure. I guess I rather log in remotely via SSH and ftp manually 
>from there. I'm also will take some closer looks into "Maximum 
>Linux Security" which I picked up a while ago. My firewall rules 
>were a bit liberal too... 
> 
>Another thing I'd be interested in is some form of automatized 
>backup of certain directories. I don't have a backup drive at 
>the moment and I don't really want to run another electricity 
>hogging PC constantly which could suck down files with 'expect' 
>or similar... anybody got ideas?
> 
>Now some more details about my corrupted box & that cracker.
> 
>Whatever he wrote about that he didn't damage anything, just 
>deleted the logs and changed some html-files doesn't sound any 
>likely. HE created a new user "skizzo", some more usergroups 
>and pseudo-legit accounts. Judging from the remaining files 
>in a directory ".stuff" in /home/skizzo/, he installed one or 
>more bots in the system. Looking into cron.d and rc.d showed all 
>kinds of weird stuff called.
>
>I also found a .gz and programs called "adore" and "ava". Ava seems 
>to be a program to hide tasks so they don't show up with "ps" anymore 
>and something else weird it seems to to with PIDs. Adore does some 
>other little thingies...
>from ava.c:
>            printf("Usage: %s {h,u,r,i,v,U} [file, PID or dummy (for 'U')]\n\n"
>         "       h hide file\n"
>         "       u unhide file\n"
>         "       r execute as root\n"
>         "       U uninstall adore\n"
>         "       i make PID invisible\n"
>         "       v make PID visible\n\n", argv[0]);
> 
>If anybody wants those programs to play around with them... just lemme know.
> 
>Well, bottomline is that I absolutely will set up a new OS and will 
>tighten security a little. Since I was an easy target once as it seems, 
>I can expect more to come, right?
 
-Armin
 
-- 
Make a few extra $$$.
Join http://www.processtree.com/?sponsor=29027

The rest of this signature is currently out of service.