got cracked, part II was: Re: got cracked!

Armin Hartinger armin@pctechware.com
Mon, 13 Nov 2000 12:21:31 -0700 

Yeah, I had standard telnet running. I will switch now to SSH and won't run FTP. The thing with Redhat is, I barely got the grasp on
this distribution, I'm not feeling like getting my feet wet all over again with something new.

I'm sorry about this crashing out, it's entirely my fault as I do my spammail at home with Outlook Express. Not b/c of features (heck
NO!), just I was lazy and didn't consider it to be important.

This I write in Netscape.

Hawke wrote:

> ok,
> given the type of "break in" it looks like a rootkit was
> also installed. keep the machine around as long as possible
> until you get the other one set up.
>
> I would highly recommend that you use something other than
> redhat 7.0 though (to many security joles and other "bugs
> to be considered reliable). other systems that offer greater
> security include: debian, caldera and openBSD/freeBSD (the last is
> generally secure enough for most users and can be enhanced for
> enterprise usage security as well).
>
> also, were you running telnet deamon on your system? if so, thats
> a way in right there.
>
> Also, there appears to be something wrong with your e-mail client
> (the html you are sending to the list causes my netscape to
> crash out (self terminate) upon hitting the reply to button
>
> *** for the rest of the list ***
> I have a couple of security related questions I'd like answered.
> 1. how can I regulate programs like "top" so that they don't show
> every process running under the sun when a user (not root) calls it?
> 2. are there any programs in the /usr/* hiararchy that I shoud chmod
> as u-x?
>
> Hawke
>
> "Armin Hartinger" <armin@pctechware.com> wrote on
> 13 November, 2000 at 01:15 hours:
>
> >Ok an update on my little adventure:
> >
> >I mailed him, no reply.
> >
> >I dug up another harddrive on which I will set up a new Linux
> >and meanwhile I can plug in the old "corrupted" hdd to keep
> >the show running before I finalize the new setup. Currently
> >I'm playing around with RH7, but the memo from the GCC developers
> >stating that RH7's gcc is only a development version makes me a
> >little uneasy about it. What's the scoop?
> in answer to this question: redhat included an unstable cvs snapshot
> of the gcc compiler when they shipped redhat 7. The reasons for this
> are many and varied (mostly conjecture) but one good reason was
> that the new snapshop has capabilities with the new ABI engine.
> Given this, when gcc finally finalizes their gcc revision, redhat will
> have to revamp their system yet again (as the new gcc will have new
> capabilities and may not be entirely compatible with older versions)
>
> >
> >When I set up that box originally, I figured "well, who would
> >want to do something with it, it's just a plain gateway box?".
> >But over the months it grew, I put on apache, php, mysql, GnuPG,
> >SMB and used it as development server for my sidejobs. Also I
> >set up subdomains for my kids and what not... now I have to set
> >it all up again and it's a royal PITA.
> >
> >I plan to run too many services on it to be really secure, but
> >I will nevertheless tighten things up a bit. FTP will go for
> >sure. I guess I rather log in remotely via SSH and ftp manually
> >from there. I'm also will take some closer looks into "Maximum
> >Linux Security" which I picked up a while ago. My firewall rules
> >were a bit liberal too...
> >
> >Another thing I'd be interested in is some form of automatized
> >backup of certain directories. I don't have a backup drive at
> >the moment and I don't really want to run another electricity
> >hogging PC constantly which could suck down files with 'expect'
> >or similar... anybody got ideas?
> >
> >Now some more details about my corrupted box & that cracker.
> >
> >Whatever he wrote about that he didn't damage anything, just
> >deleted the logs and changed some html-files doesn't sound any
> >likely. HE created a new user "skizzo", some more usergroups
> >and pseudo-legit accounts. Judging from the remaining files
> >in a directory ".stuff" in /home/skizzo/, he installed one or
> >more bots in the system. Looking into cron.d and rc.d showed all
> >kinds of weird stuff called.
> >
> >I also found a .gz and programs called "adore" and "ava". Ava seems
> >to be a program to hide tasks so they don't show up with "ps" anymore
> >and something else weird it seems to to with PIDs. Adore does some
> >other little thingies...
> >from ava.c:
> >            printf("Usage: %s {h,u,r,i,v,U} [file, PID or dummy (for 'U')]\n\n"
> >         "       h hide file\n"
> >         "       u unhide file\n"
> >         "       r execute as root\n"
> >         "       U uninstall adore\n"
> >         "       i make PID invisible\n"
> >         "       v make PID visible\n\n", argv[0]);
> >
> >If anybody wants those programs to play around with them... just lemme know.
> >
> >Well, bottomline is that I absolutely will set up a new OS and will
> >tighten security a little. Since I was an easy target once as it seems,
> >I can expect more to come, right?
>
> -Armin
>
> --
> Make a few extra $$$.
> Join http://www.processtree.com/?sponsor=29027
>
> The rest of this signature is currently out of service.
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss