Thanks, everyone, for sharing your comments. No, this box was not firewalled, nor had I applied any security patches. I had every intention of doing so, I just didn't realize I'd get hit so quickly. Like I said, it had only been up for a few days (and for most of that time it was not even reachable from the Internet).
I admit, this box was pretty wide open. Still, I'm curious to know which exploit was used. Here's the output of nmap. (Sorry, Hoala, I pulled this box off the Net as soon as I verified the hack. I still have the internal interface up). Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 139/tcp open netbios-ssn 143/tcp open imap2 443/tcp open https 445/tcp open microsoft-ds 783/tcp open hp-alarm-mgr 953/tcp open rndc 993/tcp open imaps 995/tcp open pop3s 1241/tcp open msg 1723/tcp open pptp 10000/tcp open snet-sensor-mgmt I'll take this as a painful but good learning experience. Luckily there was no data on the box yet. If this had happened a week from now, I'd be a lot worse off. Rob -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob Bootsma Sent: Friday, August 22, 2003 9:33 AM To: [EMAIL PROTECTED] Subject: [luau] RH 9 server hacked -- what went wrong? Hi all, I just recently set up a RH 9 sever (less than a week ago), and it has already been hacked. I know I'm going to have to reinstall, but I was hoping to find out what vulnerability was exploited so it doesn't happen again next time. I don't think any passwords were cracked. They must have used some other known exploit. But which one? Here's what I know. It looks like they installed some sort of IRC relay. It also seems that they tampered with sshd and samba. Some of the packages from the rootkit they used include kool.tar.gz, psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does anyone know what these do? Syslog was also tampered with (this was my first clue). Chkrootkit shows ifconfig, login, and pstree as infected. So my question is, how did they get root? Well, I guess they used this rootkit, but how did they manage to install that? Where is the vulnerability? If anyone has any suggestions of what to look for before I wipe out this box, it would be greatly appreciated. Aloha, Rob _______________________________________________ LUAU mailing list [EMAIL PROTECTED] http://videl.ics.hawaii.edu/mailman/listinfo/luau
