my hacker story(was RE: got cracked!)

Attachments:
Message as email (text/plain)

Author: LucasVogellvogel@exponent.com
Date:
Subject: my hacker story(was RE: got cracked!)

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C04D91.70417AB0
Content-Type: text/plain;
    charset="iso-8859-1"

A couple years back I tried logging into my isp's telnet account as
nobody(with a blank pw) - and got in! I think I left a little message for
them somewhere too, telling them what i did. I don't know how much damage I
could have done, I was even greener then than I am now :)

-----Original Message-----
From: Armin Hartinger [mailto:armin@pctechware.com]
Sent: Sunday, November 12, 2000 1:05 AM
To: Plug-discuss@lists.PLUG.phoenix.az.us
Subject: got cracked!

drwxrwxrwx    7 110      203          4096 Nov  4 22:45 .
drwxr-xr-x   14 110      203          4096 Sep 24 12:04 ..
-rw-r--r--    1 armin    armin        2326 Sep 25 18:25 apache_pb.gif
drwxrwxr-x    2 armin    armin        4096 Sep 25 18:27 deborah
drwxrwxrwx    4 armin    armin        4096 Oct 10 14:45 dev
-rw-r--r--    1 root     ftp          1431 Oct 24 20:06 index.html
drwxrwxrwx    2 armin    armin        4096 Nov 11 17:01 kristen
drwxrwxrwx    3 armin    armin        4096 Nov 11 16:08 lauren
drwxrwxrwx    7 110      203          4096 Aug 16  1999 manual
-rw-r--r--    1 root     ftp            66 Oct 24 20:04 old.html
[armin@gateway /www]$

Someone hacked into my little Linux gateway box. He defaced index.html and
saved the old one as old.html
That he appears as root/ftp, is that an indication how he got in?

I had anon. ftp running, using the default one RH 6.2 ships with (wu-2.6.0).

I suppose I have to completely re-setup that box, I just would like to know
what hole to close there.

Any ideas?

If anybody wants to see the deface before I fix by box:
http://24.221.63.194/ <http://24.221.63.194/>

------_=_NextPart_001_01C04D91.70417AB0
Content-Type: text/html;
    charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">

<META content=3D"MSHTML 5.50.4522.1800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><SPAN class=3D418084516-13112000><FONT face=3DArial =
color=3D#0000ff size=3D2>A=20
couple years back I tried logging into my isp's telnet account as =
nobody(with a=20
blank pw) - and got in! I think I left a little message for them =
somewhere too,=20
telling them what i did. I don't know how much damage I could have =
done, I was=20
even greener then than I am now :)</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Armin Hartinger=20
[mailto:armin@pctechware.com]<BR><B>Sent:</B> Sunday, November 12, =
2000 1:05=20
AM<BR><B>To:</B> =
Plug-discuss@lists.PLUG.phoenix.az.us<BR><B>Subject:</B> got=20
cracked!<BR><BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>drwxrwxrwx    7=20
110     =20
203          4096 =
Nov  4=20
22:45 .<BR>drwxr-xr-x   14 =
110     =20
203          4096 Sep 24 =
12:04=20
..<BR>-rw-r--r--    1 armin   =20
armin        2326 Sep 25 18:25=20
apache_pb.gif<BR>drwxrwxr-x    2 =
armin   =20
armin        4096 Sep 25 18:27=20
deborah<BR>drwxrwxrwx    4 armin   =20
armin        4096 Oct 10 14:45=20
dev<BR>-rw-r--r--    1 root    =20
ftp          1431 Oct 24 =
20:06=20
index.html<BR>drwxrwxrwx    2 armin   =20
armin        4096 Nov 11 17:01=20
kristen<BR>drwxrwxrwx    3 armin   =20
armin        4096 Nov 11 16:08=20
lauren<BR>drwxrwxrwx    7 =
110     =20
203          4096 Aug =
16 =20
1999 manual<BR>-rw-r--r--    1 =
root    =20
ftp            =
66 Oct=20
24 20:04 old.html<BR>[armin@gateway=20
=
/www]$           =
            =
            =
            =
          =20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Someone hacked into my little Linux =
gateway box.=20
He defaced index.html and saved the old one as old.html</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>That he appears as root/ftp, is that =
an=20
indication how he got in?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I had anon. ftp running, using the =
default one RH=20
6.2 ships with (wu-2.6.0).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I suppose I have to completely =
re-setup that box,=20
I just would like to know what hole to close there.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Any ideas?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>If anybody wants to see the deface =
before I=20
fix by box: <A=20
href=3D"http://24.221.63.194/">http://24.221.63.194/</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2></FONT> </DIV></BLOCKQUOTE></BODY></HTML>

------_=_NextPart_001_01C04D91.70417AB0--

This message is part of the following thread:
	the complete thread tree sorted by date
	Lucas Vogel at