[Plug-security] I'm Cracked

[Furmanek, Greg]

I guess I would look on securityfocus.com for more info on current
anonymous ftp flaws.
check your version and start looking at exploits.

Also check other services that you have running.

run a search through you directories and look for
directories starting with "."

If the cracker created accounts on your machine check
the history file for what he has been doing unless
he is good enough to cover it up.



-> -----Original Message-----
-> From: G.D.Thurman [mailto:thurmunit@user1.inficad.com]
-> Sent: Tuesday, August 15, 2000 3:12 PM
-> To: plug-security@lists.PLUG.phoenix.az.us
-> Subject: [Plug-security] I'm Cracked
-> 
-> 
-> It didn't take long, but my Red Hat 6.2 installation has
-> been cracked.  I did a basic install and nothing else.
-> It appears as though somebody did an anonymous 'ftp'
-> and did something that allowed them to create two
-> accounts (scam and x).  I cannot find any other files
-> that may have been copied onto the machine.  The machine
-> will be re-installed sometime soon, but at this moment
-> the only thing I've done is remove 'ftp' from /etc/passwd,
-> deleted bogus accounts, and changed passwords on the
-> remaining user accounts.  I'd like to do checksums
-> to see if programs such as passwd and login have been
-> replaced, but that is for another time.
-> 
-> Does anybody know how this crack was accomplished?
-> 
-> Thanks.
-> 
-> G.D.Thurman [CS/CIS Instructor]  Scottsdale Community College
-> phone:  480.423.6110    fax:  480.423.6101     icq:  65265811
-> http://www.inficad.com/~thurmunit/      thurmunit@inficad.com
-> 
-> 
-> _______________________________________________
-> Plug-security mailing list  -  Plug-security@lists.PLUG.phoenix.az.us
-> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-security
->