[Plug-security] I'm Cracked

J.L.Francois frenchie@magusnet.gilbert.az.us
Tue, 15 Aug 2000 15:34:54 -0700


Take a trip over to CERT [ http://www.cert.org ] and look at the
various exploits there.
Focus on the FTP exploits and BIND exploits.

**************** You will have to reinstall *********************

A rootkit will leave your machine vulnerable and hides things by changing
the functions of binaries.

Somtimes if you use: netstat -a
or : lsof
you can see that ports are open that should not be.

Contact me offline if you have any in-depth questions.

Jean Francois - JLF Sends...
President & CEO - MagusNet, Inc., MagusNet.com, MagusNet.Gilbert.AZ.US
Director Of Managed Services - OpNIX,Inc., www.opnix.com
OpNIX - Simply Better Bandwidth

It seems like on Tue, Aug 15, 2000 at 03:11:55PM -0700, G.D.Thurman scribbled:
Orig Msg> It didn't take long, but my Red Hat 6.2 installation has
Orig Msg> been cracked.  I did a basic install and nothing else.
Orig Msg> It appears as though somebody did an anonymous 'ftp'
Orig Msg> and did something that allowed them to create two
Orig Msg> accounts (scam and x).  I cannot find any other files
Orig Msg> that may have been copied onto the machine.  The machine
Orig Msg> will be re-installed sometime soon, but at this moment
Orig Msg> the only thing I've done is remove 'ftp' from /etc/passwd,
Orig Msg> deleted bogus accounts, and changed passwords on the
Orig Msg> remaining user accounts.  I'd like to do checksums
Orig Msg> to see if programs such as passwd and login have been
Orig Msg> replaced, but that is for another time.
Orig Msg> 
Orig Msg> Does anybody know how this crack was accomplished?
Orig Msg> 
Orig Msg> Thanks.
Orig Msg>