This is a multi-part message in MIME format.

------=_NextPart_000_0033_01C04C44.A41C9E80
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

drwxrwxrwx    7 110      203          4096 Nov  4 22:45 .
drwxr-xr-x   14 110      203          4096 Sep 24 12:04 ..
-rw-r--r--    1 armin    armin        2326 Sep 25 18:25 apache_pb.gif
drwxrwxr-x    2 armin    armin        4096 Sep 25 18:27 deborah
drwxrwxrwx    4 armin    armin        4096 Oct 10 14:45 dev
-rw-r--r--    1 root     ftp          1431 Oct 24 20:06 index.html
drwxrwxrwx    2 armin    armin        4096 Nov 11 17:01 kristen
drwxrwxrwx    3 armin    armin        4096 Nov 11 16:08 lauren
drwxrwxrwx    7 110      203          4096 Aug 16  1999 manual
-rw-r--r--    1 root     ftp            66 Oct 24 20:04 old.html
[armin@gateway /www]$                                                    =
     =20

Someone hacked into my little Linux gateway box. He defaced index.html =
and saved the old one as old.html
That he appears as root/ftp, is that an indication how he got in?

I had anon. ftp running, using the default one RH 6.2 ships with =
(wu-2.6.0).

I suppose I have to completely re-setup that box, I just would like to =
know what hole to close there.

Any ideas?

If anybody wants to see the deface before I fix by box: =
http://24.221.63.194/



------=_NextPart_000_0033_01C04C44.A41C9E80
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>drwxrwxrwx&nbsp;&nbsp;&nbsp; 7=20
110&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
203&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Nov&nbsp; =
4 22:45=20
.<BR>drwxr-xr-x&nbsp;&nbsp; 14 110&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
203&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Sep 24 =
12:04=20
..<BR>-rw-r--r--&nbsp;&nbsp;&nbsp; 1 armin&nbsp;&nbsp;&nbsp;=20
armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2326 Sep 25 18:25=20
apache_pb.gif<BR>drwxrwxr-x&nbsp;&nbsp;&nbsp; 2 armin&nbsp;&nbsp;&nbsp;=20
armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Sep 25 18:27=20
deborah<BR>drwxrwxrwx&nbsp;&nbsp;&nbsp; 4 armin&nbsp;&nbsp;&nbsp;=20
armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Oct 10 14:45=20
dev<BR>-rw-r--r--&nbsp;&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;=20
ftp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1431 Oct 24 =
20:06=20
index.html<BR>drwxrwxrwx&nbsp;&nbsp;&nbsp; 2 armin&nbsp;&nbsp;&nbsp;=20
armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Nov 11 17:01=20
kristen<BR>drwxrwxrwx&nbsp;&nbsp;&nbsp; 3 armin&nbsp;&nbsp;&nbsp;=20
armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Nov 11 16:08=20
lauren<BR>drwxrwxrwx&nbsp;&nbsp;&nbsp; 7 =
110&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
203&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Aug =
16&nbsp; 1999=20
manual<BR>-rw-r--r--&nbsp;&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;=20
ftp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 66 =
Oct 24=20
20:04 old.html<BR>[armin@gateway=20
/www]$&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Someone hacked into my little Linux =
gateway box. He=20
defaced index.html and saved the old one as old.html</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>That he appears as root/ftp, is that an =
indication=20
how he got in?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I had anon. ftp running, using the =
default one RH=20
6.2 ships with (wu-2.6.0).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I suppose I have to completely re-setup =
that box, I=20
just would like to&nbsp;know what hole to close there.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Any ideas?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>If anybody wants to see the deface =
before I=20
fix&nbsp;by box: <A=20
href=3D"http://24.221.63.194/">http://24.221.63.194/</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0033_01C04C44.A41C9E80--