Re: [plug] Server Hacked

Jimmy Sun, 04 Feb 2001 20:54:06 -0800
Victor Michael Blancas wrote:

> Its the second time that someone has hacked into our server.  This
> hacker/script kiddie installed the stacheldraht DDOS tool into our server
> and was using our server to launch his attacks.  The first time our
> wu-ftpd was exploited.  I don't know what exploit he used this time.  This
> is the result of nmap port scan.  Does anybody have any ideas?  How could
> have he gotten root access.
>
> Starting nmap V. 2.53 by [EMAIL PROTECTED] ( www.insecure.org/nmap/ )
> Interesting ports on laurana.iconverge.com (202.78.85.46):
> (The 1515 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 21/tcp     open        ftp
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 53/tcp     open        domain
> 80/tcp     open        http
> 143/tcp    open        imap2
> 3128/tcp   open        squid-http
> 6112/tcp   open        dtspc
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
>
> These are the versions of the services listening on the ports:
> ftp -- ProFTPD 1.2.0
> ssh -- SSH-1.2.27
> smtp --postfix-19991231-pl08
> domain -- bind-8.2.3
> http -- apache-1.3.14
> imap -- IMAP4rev1
> squid -- squid-2.3.STABLE1-5
> 6112 -- bnetd-0.4.23pre9
>
> --
> Mike
>
> _
> Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

yeah, that's bad! what I can suggest is allow only a specific host that will
connect on your port 22 (host.allow/host.deny), maybe the cause why some servers
is  hack is due to "Social Engineering" (Refer Securing & Optimizing Linux: RedHat
6.x  by Gerhard Mourani @ http://www.linuxdoc.org) and some of them are brute
forcing your imap/pop to get in on your server. While they're inside of your
server they look some tools (refer http://www.rootshell.com
http://www.technotronic.com http://www.anticode.com http://www.ussrback.com as
mention by David Dranch "TrinityOS") to rewt your servers :(.  Remember the more
the services the prone to hack your server. :)

hope this help

Jimmy

_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
Re: [plug] Server Hacked

Reply via email to
