got cracked!
der.hans
PLUGd@LuftHans.com
Sun, 12 Nov 2000 12:37:52 -0700 (MST)
Am 12. Nov, 2000 schwäzte Armin Hartinger so:
> drwxrwxrwx 7 110 203 4096 Nov 4 22:45 .
> drwxr-xr-x 14 110 203 4096 Sep 24 12:04 ..
> -rw-r--r-- 1 armin armin 2326 Sep 25 18:25 apache_pb.gif
> drwxrwxr-x 2 armin armin 4096 Sep 25 18:27 deborah
> drwxrwxrwx 4 armin armin 4096 Oct 10 14:45 dev
> -rw-r--r-- 1 root ftp 1431 Oct 24 20:06 index.html
> drwxrwxrwx 2 armin armin 4096 Nov 11 17:01 kristen
> drwxrwxrwx 3 armin armin 4096 Nov 11 16:08 lauren
> drwxrwxrwx 7 110 203 4096 Aug 16 1999 manual
> -rw-r--r-- 1 root ftp 66 Oct 24 20:04 old.html
> [armin@gateway /www]$
>
> Someone hacked into my little Linux gateway box. He defaced index.html
> and saved the old one as old.html That he appears as root/ftp, is that
> an indication how he got in?
There's been at least one recent exploit for ftp. Look at the errata at
RedHat for a fixed version (presuming their shipped version was
susceptible).
I'd say the original file was owned by root.ftp. The cracker probably did
something like "cp index.html old.html; cat tmpfile >index.html", so the
perms are actually what you had before and the cracker had root perms.
> I had anon. ftp running, using the default one RH 6.2 ships with (wu-2.6.0).
That and the hole was all they needed. Shouldn't run anon ftp. Use a web
daemon instead.
> I suppose I have to completely re-setup that box, I just would like to
> know what hole to close there.
Uness you're very certain of what you're doing, you should wipe your box
and reinstall. If you need to restore data find out when you were hit and
restore from before that time.
ciao,
der.hans
--
# der.hans@LuftHans.com home.pages.de/~lufthans/ www.Opnix.com
# Keine Ahnung, was ich dir sagen soll,
# keine Ahnung und keinen (.)plan. -- die Toten Hosen