Re: ftp was hacked

From: Ed Turner (
Date: 12/30/01

  • Next message: gaius.petronius: "understanding chkrootkit: sshd section"

    From: Ed Turner <>
    Date: Sun, 30 Dec 2001 04:32:00 GMT

    You want to use the 'chattr' to see if the hacker changed the immutable bit on the file. If this was set, no
    one not even root can erase, rename, modify, or anything. It has to be unset by root using this command, then
    you should be able to do whatever it is you need to do.

    Ed Turner
    Chicago, IL

    Bill Unruh wrote:

    > In <> "R.A.Wilson" <> writes:
    > ]Hi -
    > ]I have some info to pass along, and a question...
    > ]A cracker exploited a hole in wu-ftp 2.6.0 and managed to install
    > ]a sniffer and a port scanner on my machine. I use slackware, 2.2.16
    > ]The only reason I found out is that a sharp Linux administrator noted
    > ]port scans coming from my machine and wanted to know what was going on.
    > ]I looked like the bad guy.
    > ]After a lot of work, I found the intruder had made a directory where
    > ]he put his sniffer log and other programs. He had them set up in:
    > ] /dev/ida/.inet
    > ]I don't believe that's a legitimate diretory.
    > ]When I looked at a file called tcp.log, in that directory, I was
    > ]stunned to see he had plain text passwords of all the users on my
    > ]machine. I couldn't pull the plug fast enough!
    > ]He also had managed to put an illegal account in /etc/passwd. He used
    > ]the account name www. I found files belonging to www and rm'd them.
    > ]I also took him out of the passwd file. I updated wu-ftp to the latest
    > ]version of 2.6.2 and thought that solved the problem.
    > ]A few days later I wanted to install a later version of hdparm. I was
    > ]using version 3.9 and 4.6 was out. I did a 'locate hdparm' and found
    > ]two of them: one in /use/bin/hdparm and the other in /use/sbin.hdparm.
    > ]Which was correct? I did 'which hdparm' and found the one in /usr/sbin
    > ]was it. it was also a binary file. Curious, I looked at the other one.
    > ]This is what it looked like:
    > ] #!/bin/sh
    > ] cd /dev/ida/.inet
    > ] ./sshdu -f ./s
    > ] ./linsniffer >> ./tcp.log &
    > ] cd /
    > ]So, just by a lucky accident I had discovered the intruder's script to
    > ]call his sniffer.
    > ]I tried to move the file. I tried to edit the file. I tried to remove
    > ]it. Nothing. Root cannot touch it! Here's the system message I get
    > ]when I try any of the above...
    > ] cannot unlink 'hdparm': Operation not permitted.
    > ]Now my question... HOW THE HELL DO I GET RID OF THIS GARBAGE???
    > ] -Roy Wilson-
    > ]===================================================================
    > What you do is to backup all of your users files and then you wipe the
    > disk and reinstall, making sure that you install all of the security
    > patches. Then you replace the backup material that you need. Then you
    > scan all of that backed up material for suid files and get rid of them.
    > eg
    > find /home -perm +6000 -ls
    > PS In answer to your question, read
    > man chattr, especially the -i flag.
    > But as you have discovered the chances of your finding all of the
    > backdoors he has installed are nill.
    > So do not try. Just reinstall, and remmember to keep up with security
    > patches. That hole was patched about a year ago.

    Relevant Pages

    • Cant install zones - pkginfo files of SUNWcakr, SUNWcsr, SUNWckr, ... is corrupt - bad patch
      ... I installed all the "missing" patches according to PCA on a 280R ... tried to install a new zone. ... system SUNWcakr Core Solaris Kernel Architecture (Root) ...
    • RE: Location of web root
      ... Subject: Location of web root ... during install) pointing out that a Custom install will allow for a more ... in a different folder off C:. ... were the script kiddie, how would you exploit the machine. ...
    • Re: Alerting - Malicious software removal tool
      ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
    • Re: Granting root access?
      ... Only use "root" when you really need to. ... before handing it to me for a system install. ... users within the corporate IT environment and help sysadmins keep things ... However, even there, "normal users" were allowed to ...
    • Software-Raid1 Root in Woody
      ... This document briefly describes the steps needed to install a Debian ... Woody GNU/Linux system with root on a software raid1 device. ... I used SCSI disks because I had them easily available, ... I started from floppies (vanilla kernel) + network, ...