This is a multi-part message in MIME format.
------=_NextPart_000_001C_01C04D0E.7B392F40
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Ok an update on my little adventure:
I mailed him, no reply.
I dug up another harddrive on which I will set up a new Linux and =
meanwhile I can plug in the old "corrupted" hdd to keep the show running =
before I finalize the new setup. Currently I'm playing around with RH7, =
but the memo from the GCC developers stating that RH7's gcc is only a =
development version makes me a little uneasy about it. What's the scoop?
When I set up that box originally, I figured "well, who would want to do =
something with it, it's just a plain gateway box?". But over the months =
it grew, I put on apache, php, mysql, GnuPG, SMB and used it as =
development server for my sidejobs. Also I set up subdomains for my kids =
and what not... now I have to set it all up again and it's a royal PITA.
I plan to run too many services on it to be really secure, but I will =
nevertheless tighten things up a bit. FTP will go for sure. I guess I =
rather log in remotely via SSH and ftp manually from there. I'm also =
will take some closer looks into "Maximum Linux Security" which I picked =
up a while ago. My firewall rules were a bit liberal too...=20
Another thing I'd be interested in is some form of automatized backup of =
certain directories. I don't have a backup drive at the moment and I =
don't really want to run another electricity hogging PC constantly which =
could suck down files with 'expect' or similar... anybody got ideas?
Now some more details about my corrupted box & that cracker.
Whatever he wrote about that he didn't damage anything, just deleted the =
logs and changed some html-files doesn't sound any likely. HE created a =
new user "skizzo", some more usergroups and pseudo-legit accounts. =
Judging from the remaining files in a directory ".stuff" in =
/home/skizzo/, he installed one or more bots in the system. Looking into =
cron.d and rc.d showed all kinds of weird stuff called.
I also found a .gz and programs called "adore" and "ava". Ava seems to =
be a program to hide tasks so they don't show up with "ps" anymore and =
something else weird it seems to to with PIDs. Adore does some other =
little thingies...
from ava.c:
printf("Usage: %s {h,u,r,i,v,U} [file, PID or dummy (for =
'U')]\n\n"
" h hide file\n"
" u unhide file\n"
" r execute as root\n"
" U uninstall adore\n"
" i make PID invisible\n"
" v make PID visible\n\n", argv[0]);
If anybody wants those programs to play around with them... just lemme =
know.
Well, bottomline is that I absolutely will set up a new OS and will =
tighten security a little. Since I was an easy target once as it seems, =
I can expect more to come, right?
-Armin
----- Original Message -----=20
From: Lucas Vogel=20
To: 'plug-discuss@lists.PLUG.phoenix.az.us'=20
Sent: Sunday, November 12, 2000 11:40 PM
Subject: RE: got cracked!
I wonder, would he really send you the patch if you emailed him for =
it? Anyone know? I know almost nothing about hacking/hackers/etc...
-----Original Message-----
From: Armin Hartinger [mailto:armin@pctechware.com]
Sent: Sunday, November 12, 2000 1:05 AM
To: Plug-discuss@lists.PLUG.phoenix.az.us
Subject: got cracked!
drwxrwxrwx 7 110 203 4096 Nov 4 22:45 .
drwxr-xr-x 14 110 203 4096 Sep 24 12:04 ..
-rw-r--r-- 1 armin armin 2326 Sep 25 18:25 =
apache_pb.gif
drwxrwxr-x 2 armin armin 4096 Sep 25 18:27 deborah
drwxrwxrwx 4 armin armin 4096 Oct 10 14:45 dev
-rw-r--r-- 1 root ftp 1431 Oct 24 20:06 index.html
drwxrwxrwx 2 armin armin 4096 Nov 11 17:01 kristen
drwxrwxrwx 3 armin armin 4096 Nov 11 16:08 lauren
drwxrwxrwx 7 110 203 4096 Aug 16 1999 manual
-rw-r--r-- 1 root ftp 66 Oct 24 20:04 old.html
[armin@gateway /www]$ =
=20
Someone hacked into my little Linux gateway box. He defaced =
index.html and saved the old one as old.html
That he appears as root/ftp, is that an indication how he got in?
I had anon. ftp running, using the default one RH 6.2 ships with =
(wu-2.6.0).
I suppose I have to completely re-setup that box, I just would like =
to know what hole to close there.
Any ideas?
If anybody wants to see the deface before I fix by box: =
http://24.221.63.194/
------=_NextPart_000_001C_01C04D0E.7B392F40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Ok an update on my little =
adventure:
I mailed him, no reply.
I dug up another harddrive on which I =
will set up a=20
new Linux and meanwhile I can plug in the old "corrupted" hdd to keep =
the show=20
running before I finalize the new setup. Currently I'm playing around =
with RH7,=20
but the memo from the GCC developers stating that RH7's gcc is only a=20
development version makes me a little uneasy about it. What's the=20
scoop?
When I set up that box originally, I =
figured "well,=20
who would want to do something with it, it's just a plain gateway box?". =
But=20
over the months it grew, I put on apache, php, mysql, GnuPG, =
SMB and=20
used it as development server for my sidejobs. Also I set up subdomains =
for my=20
kids and what not... now I have to set it all up again and it's a royal=20
PITA.
I plan to run too many services on it =
to be really=20
secure, but I will nevertheless tighten things up a bit. FTP will go for =
sure. I=20
guess I rather log in remotely via SSH and ftp manually from there. I'm =
also=20
will take some closer looks into "Maximum Linux Security" which I picked =
up a=20
while ago. My firewall rules were a bit liberal too...
Another thing I'd be interested in is =
some form of=20
automatized backup of certain directories. I don't have a backup drive =
at the=20
moment and I don't really want to run another electricity hogging PC =
constantly=20
which could suck down files with 'expect' or similar... anybody got=20
ideas?
Now some more details about my =
corrupted=20
box & that cracker.
Whatever he wrote about that he didn't =
damage=20
anything, just deleted the logs and changed some html-files doesn't =
sound any=20
likely. HE created a new user "skizzo", some more usergroups and =
pseudo-legit=20
accounts. Judging from the remaining files in a directory ".stuff" in=20
/home/skizzo/, he installed one or more bots in the system. Looking into =
cron.d=20
and rc.d showed all kinds of weird stuff called.
I also found a .gz and programs called =
"adore" and=20
"ava". Ava seems to be a program to hide tasks so they don't show up =
with "ps"=20
anymore and something else weird it seems to to with PIDs. Adore does =
some other=20
little thingies...
from ava.c:
=20
printf("Usage: %s {h,u,r,i,v,U} [file, PID or dummy (for=20
'U')]\n\n"
=20
" h hide=20
file\n"
=20
" u unhide=20
file\n"
=20
" r execute as=20
root\n"
=20
" U uninstall=20
adore\n"
=20
" i make PID=20
invisible\n"
=20
" v make PID visible\n\n",=20
argv[0]);
If anybody wants those programs to play =
around with=20
them... just lemme know.
Well, bottomline is that I absolutely =
will set up a=20
new OS and will tighten security a little. Since I was an easy target =
once as it=20
seems, I can expect more to come, right?
-Armin
----- Original Message -----
From:=20
Lucas Vogel=20
To: 'plug-discuss@lis=
ts.PLUG.phoenix.az.us'=20
Sent: Sunday, November 12, 2000 =
11:40=20
PM
Subject: RE: got cracked!
I=20
wonder, would he really send you the patch if you emailed him for it? =
Anyone=20
know? I know almost nothing about =
hacking/hackers/etc...
drwxrwxrwx 7=20
110 =20
203 4096 =
Nov 4=20
22:45 .
drwxr-xr-x 14 =
110 =20
203 4096 Sep =
24 12:04=20
..
-rw-r--r-- 1 armin =20
armin 2326 Sep 25 18:25=20
apache_pb.gif
drwxrwxr-x 2 =
armin =20
armin 4096 Sep 25 18:27=20
deborah
drwxrwxrwx 4 armin =20
armin 4096 Oct 10 14:45=20
dev
-rw-r--r-- 1 root =20
ftp 1431 Oct =
24 20:06=20
index.html
drwxrwxrwx 2 armin =
armin 4096 Nov 11 17:01=20
kristen
drwxrwxrwx 3 armin =20
armin 4096 Nov 11 16:08=20
lauren
drwxrwxrwx 7 =
110 =20
203 4096 Aug =
16 =20
1999 manual
-rw-r--r-- 1 =
root =20
=
ftp 66 =
Oct=20
24 20:04 old.html
[armin@gateway=20
=
/www]$ &=
nbsp; &n=
bsp; &nb=
sp; &nbs=
p; =20
Someone hacked into my little Linux =
gateway=20
box. He defaced index.html and saved the old one as =
old.html
That he appears as root/ftp, is =
that an=20
indication how he got in?
I had anon. ftp running, using the =
default one=20
RH 6.2 ships with (wu-2.6.0).
I suppose I have to completely =
re-setup that=20
box, I just would like to know what hole to close =
there.
Any ideas?
If anybody wants to see the deface =
before I=20
fix by box: http://24.221.63.194/
------=_NextPart_000_001C_01C04D0E.7B392F40--