[Plug-security] I'm Cracked
David Sinck
sinck@owmyeye.ugive.com
Tue, 15 Aug 2000 15:15:16 -0700 (MST)
\_ It didn't take long, but my Red Hat 6.2 installation has
\_ been cracked. I did a basic install and nothing else.
\_ It appears as though somebody did an anonymous 'ftp'
\_ and did something that allowed them to create two
\_ accounts (scam and x). I cannot find any other files
\_ that may have been copied onto the machine. The machine
\_ will be re-installed sometime soon, but at this moment
\_ the only thing I've done is remove 'ftp' from /etc/passwd,
\_ deleted bogus accounts, and changed passwords on the
\_ remaining user accounts. I'd like to do checksums
\_ to see if programs such as passwd and login have been
\_ replaced, but that is for another time.
rpm -Va and look at the output. a good man page read would explain
it. 'find' may be illuminating too.
\_ Does anybody know how this crack was accomplished?
prolly a buffer overflow in ftp if ftp was the weak point. Check
redhat security announcements.
David