Re: Embarassing...

From: erik (erik_at_geenspam.vanwesten.net)
Date: 12/04/03 

Date: Thu, 04 Dec 2003 12:27:24 +0100

Michael wrote:

> Well, there's no easy way to put it so I'll just say it....my server
> got
> hacked by a Turkish citizen. The server has been replaced with a new
> one
> and the infected one is now sitting in my living room. What I want to
> know
> is....what went wrong? I consider myself pretty thorough and safe. I
> know I've made some mistakes, but I take pride in my work and I'm
> pretty deflated
> that this happened to me. Anyway, here's a list of services that I
> had running that would answer to an outside (non-localhost) request:
>
> Linux 2.4.17
> ProFTPd 1.2.2rc2
> Apache 1.3.23
> OpenSSH 3.1p1
> ircD 2.10
> Bind 9.2.1
> Sendmail 8.12.10
> QPopper 4.0.3
> UW IMAP4rev1 2001.292
>
> I looked for security notices that I missed for each one and the only
> one I could find that might cause this was a local user elevation bug
> in the Linux
> kernel. Maybe I gave too many friends a local account and didn't
> enforce
> password rules strongly enough. I really do hope that that was the
> problem, but...did I miss a security notice?
>
> The only other note that I'd like to add is that the ircD required a
> strong password to log into and was designed for a web based chat
> program that ran
> on the web server. In other words, it wasn't a public IRC server.
>
> From just looking at the above list, does anyone see what I messed up
> on?
>

Quickly reading: at the very least: apache (1.3.28), openssh (3.7p1),
proftpd (1.2.9), sendmail (8.12.0) are extremely velunerable. Between
() are the current versions. To my knowledge all of these were updated
because they had root exploitable vulnerabilities.

I do not know where you did your reading, but that list is not up to
date.

EJ 

-- 
Remove the obvious part (including the dot) for my email address.
http://www.vanwesten.net for examples of ipf and pf.

Relevant Pages

  • CEICW Fails at RegisterMSBOExchangeBP
    ... Ethernet adapter Server Local Area Connection: ... Call to Reading hardware selection returned ok. ... calling CNetCommit::ValidateRouterConnectionProperties. ... Call to Reading preferred DNS server IP returned ok. ...
    (microsoft.public.windows.server.sbs)
  • ICW Problem Error 0x80072581 Deleting the DNS record external NIC
    ... I am having major problems with the internet and email connection wizard in sbs 2004, curiously I have internet access however the wizard fails to complete during the network section when I try and add OWA and RWW web services. ... Server connects to the internet and provides access for server no clients attached as yet. ... Call to Reading hardware selection returned ok. ... Firewall Rule: SBS DHCP Client ...
    (microsoft.public.windows.server.sbs)
  • RE: ceicw fails every time
    ... You have to rerun the CEICW to make sure your SBS 2003 server have right ... Calling CCertCommit::ValidatePropertyBag ... Call to Reading OWA publishing selection returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: Please Help CEICW Fails At Firewall For RWW
    ... I can log on as a user on to the server and then get the session to work. ... Call to Reading hardware selection returned ok. ... calling CNetCommit::ValidateRouterConnectionProperties. ... Call to Reading web publishing selection returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange server not running - Urgent
    ... I just rebooted the server and our email came streaming in. ... Call to Reading hardware selection returned ok. ... calling CNetCommit::ValidateRouterConnectionProperties. ... Call to Reading web publishing selection returned ok. ...
    (microsoft.public.windows.server.sbs)