got cracked!

Attachments:
Message as email (text/plain)

Author: Armin Hartinger
Date:
Subject: got cracked!

This is a multi-part message in MIME format.

------=_NextPart_000_0033_01C04C44.A41C9E80
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

drwxrwxrwx    7 110      203          4096 Nov  4 22:45 .
drwxr-xr-x   14 110      203          4096 Sep 24 12:04 ..
-rw-r--r--    1 armin    armin        2326 Sep 25 18:25 apache_pb.gif
drwxrwxr-x    2 armin    armin        4096 Sep 25 18:27 deborah
drwxrwxrwx    4 armin    armin        4096 Oct 10 14:45 dev
-rw-r--r--    1 root     ftp          1431 Oct 24 20:06 index.html
drwxrwxrwx    2 armin    armin        4096 Nov 11 17:01 kristen
drwxrwxrwx    3 armin    armin        4096 Nov 11 16:08 lauren
drwxrwxrwx    7 110      203          4096 Aug 16  1999 manual
-rw-r--r--    1 root     ftp            66 Oct 24 20:04 old.html
[armin@gateway /www]$                                                    =
     =20

Someone hacked into my little Linux gateway box. He defaced index.html =
and saved the old one as old.html
That he appears as root/ftp, is that an indication how he got in?

I had anon. ftp running, using the default one RH 6.2 ships with =
(wu-2.6.0).

I suppose I have to completely re-setup that box, I just would like to =
know what hole to close there.

Any ideas?

If anybody wants to see the deface before I fix by box: =
http://24.221.63.194/

------=_NextPart_000_0033_01C04C44.A41C9E80
Content-Type: text/html;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>drwxrwxrwx    7=20
110     =20
203          4096 Nov  =
4 22:45=20
.<BR>drwxr-xr-x   14 110     =20
203          4096 Sep 24 =
12:04=20
..<BR>-rw-r--r--    1 armin   =20
armin        2326 Sep 25 18:25=20
apache_pb.gif<BR>drwxrwxr-x    2 armin   =20
armin        4096 Sep 25 18:27=20
deborah<BR>drwxrwxrwx    4 armin   =20
armin        4096 Oct 10 14:45=20
dev<BR>-rw-r--r--    1 root    =20
ftp          1431 Oct 24 =
20:06=20
index.html<BR>drwxrwxrwx    2 armin   =20
armin        4096 Nov 11 17:01=20
kristen<BR>drwxrwxrwx    3 armin   =20
armin        4096 Nov 11 16:08=20
lauren<BR>drwxrwxrwx    7 =
110     =20
203          4096 Aug =
16  1999=20
manual<BR>-rw-r--r--    1 root    =20
ftp            66 =
Oct 24=20
20:04 old.html<BR>[armin@gateway=20
/www]$           &=
nbsp;           &n=
bsp;           &nb=
sp;           &nbs=
p;         =20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Someone hacked into my little Linux =
gateway box. He=20
defaced index.html and saved the old one as old.html</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>That he appears as root/ftp, is that an =
indication=20
how he got in?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I had anon. ftp running, using the =
default one RH=20
6.2 ships with (wu-2.6.0).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I suppose I have to completely re-setup =
that box, I=20
just would like to know what hole to close there.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Any ideas?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>If anybody wants to see the deface =
before I=20
fix by box: <A=20
href=3D"http://24.221.63.194/">http://24.221.63.194/</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>

------=_NextPart_000_0033_01C04C44.A41C9E80--

This message is part of the following thread:
	the complete thread tree sorted by date
	ArminHartingerarmin@pctechware.com at
	der.hans at