I recently had the same thing happen to one of my web servers. They were able to gain access through the news service which I had inadvertently left running at installation time. Then they promoted the news user to uid0 and were able to gain access to root privileges. They created a user called system with uid0 also.. My final option was to disconnect ...Remove the root kits and change all passwords. Also I set nologin for user news, secured that service, and changed my firewall configuration to not allow ssh through on the outside interface....Right now the only services I am allowing to pass on the outside interface are web, secure web, dns, smtp and pop3...I also have these services inspected at the router to ensure they go where they're supposed to.
Also it didn't help that with the root kits installed they were e-mailing my passwd, passwd-, shadow and shadow- files to what appeared to be some server in California.. further investigation indicated that those were arp spoofed, so I really don't know where it went...If you haven't done so...You should also make a report to CERN... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Rob Bootsma Sent: Friday, August 22, 2003 9:33 AM To: [EMAIL PROTECTED] Subject: [luau] RH 9 server hacked -- what went wrong? Hi all, I just recently set up a RH 9 sever (less than a week ago), and it has already been hacked. I know I'm going to have to reinstall, but I was hoping to find out what vulnerability was exploited so it doesn't happen again next time. I don't think any passwords were cracked. They must have used some other known exploit. But which one? Here's what I know. It looks like they installed some sort of IRC relay. It also seems that they tampered with sshd and samba. Some of the packages from the rootkit they used include kool.tar.gz, psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does anyone know what these do? Syslog was also tampered with (this was my first clue). Chkrootkit shows ifconfig, login, and pstree as infected. So my question is, how did they get root? Well, I guess they used this rootkit, but how did they manage to install that? Where is the vulnerability? If anyone has any suggestions of what to look for before I wipe out this box, it would be greatly appreciated. Aloha, Rob _______________________________________________ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
