Re: My Redhat 7.0 has been hacked, again! Help!

From: Bill Unruh (unruh@physics.ubc.ca)
Date: 12/31/01

• Next message: irado furioso com tudo: "Re: I want to make a Linux IPSEC VPN"
• Previous message: teddymills@hotmail.com: "I want to make a Linux IPSEC VPN"
• In reply to: 7knots.com: "My Redhat 7.0 has been hacked, again! Help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: unruh@physics.ubc.ca (Bill Unruh)
Date: 31 Dec 2001 18:24:08 GMT

In <KsXX7.8988$DO.1019723@news1.calgary.shaw.ca> "7knots.com" <sevenknots@shaw.ca> writes:

]I had telnet & finger services running when this happened.
]Don't know how the hacker got in.

Probably because he sniffed your password from some other broken
machine, or because you did not change every user's password the first
time. Also probably because you did not install all of the software
updates for Redhat 7.0.

]He created a user "tty1" with uid:gid = 0:500
]touched /etc/passwd, /etc/group, /etc/shadow, /etc/gshadow and /etc/mtab

He changed much more than that. Reinstall. Save your personal stuff, on
a backup, reformat the partitions (esp the / and /usr) and reinstall.
Then after reinstall, update all the programs, change all the passwords,
and scan the restored files with
find /home -perms +6000 -ls
(or whereever your restored files were put.)

]edited the /etc/issue.net file such that, as of today, I can't even delete
]it! (even
]after reboot!) It shows the ownership of "root/root" all right. ???????

chattr -i /etc/issue.net

]He cleaned all /var/log files and their ownership carried root/stty1

]From the Raman Noodle experience, it looks to me like a new worm attack.
]Can anyone of you help?! Thanks a lot.

Who knows but see above as to how I suspect he got in. Your job now is
to clean up. Reinstall this time. Keep up to date with security updates.
Use ssh, not telnet.

---

• Next message: irado furioso com tudo: "Re: I want to make a Linux IPSEC VPN"
• Previous message: teddymills@hotmail.com: "I want to make a Linux IPSEC VPN"
• In reply to: 7knots.com: "My Redhat 7.0 has been hacked, again! Help!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: boot sector f*ed ... So that you don't have to reinstall ... do not "futz around" - I have been doing my updates with portupgrade ... case is to delete all ports and reinstall them. ... ghostscript - do I really need it? ... (freebsd-questions) Re: 2008 SBS no longer boots ... it were, the machine wouldn't run after reinstall, it does. ... Also, if it were hardware, and it is this consistent through ... it pulls all the updates in itself. ... driver updates tho'. ... (microsoft.public.windows.server.sbs) Re: OE doing strange things when typing in rich text mode ... I think a reinstall might be best in this situation, ... get all the necessary Windows updates to ensure success. ... How to reinstall or repair Internet Explorer and Outlook Express in Windows ... Toolbar and Customize and tried to ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress) Re: XP Pro running slow ... I usually check for any critical updates once a week. ... I did not install any new software, but I did install some critical ... that I am only using 414 megs so why is the system process taking up so ... How did you do this reinstall of XP? ... (microsoft.public.windowsxp.general) Re: XP Pro running slow ... Firefox loads the pages faster ... The system process is taking up as much as ... You originally state you thought it slowed down after doing some updates through windows update. ... How did you do this reinstall of XP? ... (microsoft.public.windowsxp.general)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.os.linux.security  > 2001-12