I setup a server for my residency program and in 4 days the sucker got hacked, rootkitted, and shut down for sending a DOS attack against worldcom.net (why not disney, M$, or AOL?)
They did the works on it, ps, ls, du, df, etc. They installed ssh2d and even had the balls to do X11 forwarding so they could see their handiwork in living color I presume. I don't know how they got in and I'm a little nervous about these guys doing the same thing again. It's embarrassing but I may have not had the firewall up but relied on default RedHat 7.2 medium security setting. I did turn off talk, telnet and some of those services but ftp was running, and zope on 8080, and 8021, and apache on 80, and ssh on 22. It had the old zlib and python 2.1. I have 3 questions: 1. Does anyone know default RH 7.2 services that would be vulnerable to this sort of attack? 2. Does anyone know of this particular set of attacks? (A doctor posted on google groups about a very similar attack on 7.2 with similar changes to /lib/security/.config. We found a bunch of what they did and found files in /lib/security/.config that had been added/changed. lib/security/.config/ lib/security/.config/backup/ lib/security/.config/backup/login lib/security/.config/backup/sendmail lib/security/.config/backup/network lib/security/.config/sshd lib/security/.config/ssh/ lib/security/.config/ssh/ssh_host_key.pub lib/security/.config/ssh/sshd_config lib/security/.config/.addr lib/security/.config/.cron lib/security/.config/.logs lib/security/.config/free lib/security/.config/.files lib/security/.config/grabbb lib/security/.config/sunos lib/security/.config/targets lib/security/.config/pg lib/security/.config/x2 Here's the sshd_config file: # This is ssh server systemwide configuration file. Port 15000 ListenAddress 0.0.0.0 ServerKeyBits 768 LoginGraceTime 600 KeyRegenerationInterval 3600 PermitRootLogin yes IgnoreRhosts no StrictModes yes QuietMode no X11Forwarding yes X11DisplayOffset 10 FascistLogging no PrintMotd yes KeepAlive yes SyslogFacility DAEMON RhostsAuthentication no RhostsRSAAuthentication yes RSAAuthentication yes PasswordAuthentication yes PermitEmptyPasswords yes UseLogin no 3. Does anyone know where I can find these guys so that I can fuck 'em up. I feel violated, though after talking to John Hunter I feel like I just had my cherry popped and have learned a lesson. (A windozer friend has been harping on me saying "See, the open source community isn't as lovey dovey good natured as you said...") I'll probably reformat tonight in a couple of hours. If there's anything I should save to help diagnose/avenge let me know. Does anyone know of any support groups for hackees? Thanks. Joshua _______________________________________________ Bits mailing list [EMAIL PROTECTED] http://www.sugoi.org/mailman/listinfo/bits
