This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C04D91.70417AB0 Content-Type: text/plain; charset="iso-8859-1" A couple years back I tried logging into my isp's telnet account as nobody(with a blank pw) - and got in! I think I left a little message for them somewhere too, telling them what i did. I don't know how much damage I could have done, I was even greener then than I am now :) -----Original Message----- From: Armin Hartinger [mailto:armin@pctechware.com] Sent: Sunday, November 12, 2000 1:05 AM To: Plug-discuss@lists.PLUG.phoenix.az.us Subject: got cracked! drwxrwxrwx 7 110 203 4096 Nov 4 22:45 . drwxr-xr-x 14 110 203 4096 Sep 24 12:04 .. -rw-r--r-- 1 armin armin 2326 Sep 25 18:25 apache_pb.gif drwxrwxr-x 2 armin armin 4096 Sep 25 18:27 deborah drwxrwxrwx 4 armin armin 4096 Oct 10 14:45 dev -rw-r--r-- 1 root ftp 1431 Oct 24 20:06 index.html drwxrwxrwx 2 armin armin 4096 Nov 11 17:01 kristen drwxrwxrwx 3 armin armin 4096 Nov 11 16:08 lauren drwxrwxrwx 7 110 203 4096 Aug 16 1999 manual -rw-r--r-- 1 root ftp 66 Oct 24 20:04 old.html [armin@gateway /www]$ Someone hacked into my little Linux gateway box. He defaced index.html and saved the old one as old.html That he appears as root/ftp, is that an indication how he got in? I had anon. ftp running, using the default one RH 6.2 ships with (wu-2.6.0). I suppose I have to completely re-setup that box, I just would like to know what hole to close there. Any ideas? If anybody wants to see the deface before I fix by box: http://24.221.63.194/ ------_=_NextPart_001_01C04D91.70417AB0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
A=20 couple years back I tried logging into my isp's telnet account as = nobody(with a=20 blank pw) - and got in! I think I left a little message for them = somewhere too,=20 telling them what i did. I don't know how much damage I could have = done, I was=20 even greener then than I am now :)
-----Original Message-----
From: Armin Hartinger=20 [mailto:armin@pctechware.com]
Sent: Sunday, November 12, = 2000 1:05=20 AM
To: = Plug-discuss@lists.PLUG.phoenix.az.us
Subject: got=20 cracked!

drwxrwxrwx    7=20 110     =20 203          4096 = Nov  4=20 22:45 .
drwxr-xr-x   14 = 110     =20 203          4096 Sep 24 = 12:04=20 ..
-rw-r--r--    1 armin   =20 armin        2326 Sep 25 18:25=20 apache_pb.gif
drwxrwxr-x    2 = armin   =20 armin        4096 Sep 25 18:27=20 deborah
drwxrwxrwx    4 armin   =20 armin        4096 Oct 10 14:45=20 dev
-rw-r--r--    1 root    =20 ftp          1431 Oct 24 = 20:06=20 index.html
drwxrwxrwx    2 armin   =20 armin        4096 Nov 11 17:01=20 kristen
drwxrwxrwx    3 armin   =20 armin        4096 Nov 11 16:08=20 lauren
drwxrwxrwx    7 = 110     =20 203          4096 Aug = 16 =20 1999 manual
-rw-r--r--    1 = root    =20 ftp            = 66 Oct=20 24 20:04 old.html
[armin@gateway=20 = /www]$           =             =             =             =           =20
 
Someone hacked into my little Linux = gateway box.=20 He defaced index.html and saved the old one as old.html
That he appears as root/ftp, is that = an=20 indication how he got in?
 
I had anon. ftp running, using the = default one RH=20 6.2 ships with (wu-2.6.0).
 
I suppose I have to completely = re-setup that box,=20 I just would like to know what hole to close there.
 
Any ideas?
 
If anybody wants to see the deface = before I=20 fix by box: http://24.221.63.194/
 
 
------_=_NextPart_001_01C04D91.70417AB0--