Peter McCarthy wrote:
> But what they did in attempt to leave a back door I found intriguing.
> the following lines in /etc/inetd.conf we added by my unwelcome guest.
>
> telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
> 37 stream tcp nowait root /usr/sbin/sock
> /usr/sbin/sock
probably a socks5 server. With this on your machine they can bounce
through you to do further attacks on others with the attack appearing to
be from your ip.
> I suspect this person gained access to my system via ftpd, is this really
> such a security hole ?
depends what ftp daemon you're running on your machine. if you don't
know then it is probably wu_ftpd, which has had a number of security
issues made public in recent times. you should run wu_ftpd with
tcpwrappers if at all, and only allow in the ip addresses that need to
have access.
if you may need to xfer from a machine not in the list, just ssh in (you
should have sshd running) and change the hosts.allow temporarily.
proftpd is becoming increasingly popular now that wu is synonymous with
swiss cheese.
--
Alexander Else
Internet Operations Technician
OzEmail / UUNET Asia Pacific Operations
--
SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
To unsubscribe send email to [EMAIL PROTECTED] with
unsubscribe in the text
