Am 12. Nov, 2000 schwäzte Armin Hartinger so:

> drwxrwxrwx    7 110      203          4096 Nov  4 22:45 .
> drwxr-xr-x   14 110      203          4096 Sep 24 12:04 ..
> -rw-r--r--    1 armin    armin        2326 Sep 25 18:25 apache_pb.gif
> drwxrwxr-x    2 armin    armin        4096 Sep 25 18:27 deborah
> drwxrwxrwx    4 armin    armin        4096 Oct 10 14:45 dev
> -rw-r--r--    1 root     ftp          1431 Oct 24 20:06 index.html
> drwxrwxrwx    2 armin    armin        4096 Nov 11 17:01 kristen
> drwxrwxrwx    3 armin    armin        4096 Nov 11 16:08 lauren
> drwxrwxrwx    7 110      203          4096 Aug 16  1999 manual
> -rw-r--r--    1 root     ftp            66 Oct 24 20:04 old.html
> [armin@gateway /www]$                                                          
> 
> Someone hacked into my little Linux gateway box. He defaced index.html
> and saved the old one as old.html That he appears as root/ftp, is that
> an indication how he got in?

There's been at least one recent exploit for ftp. Look at the errata at
RedHat for a fixed version (presuming their shipped version was
susceptible).

I'd say the original file was owned by root.ftp. The cracker probably did
something like "cp index.html old.html; cat tmpfile >index.html", so the
perms are actually what you had before and the cracker had root perms.

> I had anon. ftp running, using the default one RH 6.2 ships with (wu-2.6.0).

That and the hole was all they needed. Shouldn't run anon ftp. Use a web
daemon instead.

> I suppose I have to completely re-setup that box, I just would like to
> know what hole to close there.

Uness you're very certain of what you're doing, you should wipe your box
and reinstall. If you need to restore data find out when you were hit and
restore from before that time.

ciao,

der.hans
-- 
#  der.hans@LuftHans.com   home.pages.de/~lufthans/   www.Opnix.com
#  Keine Ahnung, was ich dir sagen soll,
#  keine Ahnung und keinen (.)plan. -- die Toten Hosen