Bill Beauchemin grabbed a keyboard and wrote:
>
> I wasa running a much older version of apache and openssl that i thought
> were ok but nooooooooo I guess this hack works with even the old stuff.
> I also didnt think somebody would be interested in my little private
> home email and web server.
*Never* make that assumption. Of course, I guess you already know that
now.....
> Oh well I learned my lesson. Now I ogts to go
> and get the apache, openssl, and the modssl patches.
One problem with a hack like this is: What else got installed during the
compromise? The only way you can be sure that you're safe now is to
reformat all partitions and reinstall from scratch. Simply getting rid of
the stuff that you've found won't guarantee that you've gotten everything
that may have been installed during the compromise period - other back
doors may have been installed.
Live and learn: If you're online, you're a target. Keep your packages up
to date with bug and security fixes. There's a security announce list
being run by Mandrake; you might want to subscribe to it. It's low-volume,
and only has postings from Mandrake when a security fix comes out so that
you'll know to install it. It's worth it.
Good luck with getting your system back together!
--Dave
> On Thu, 2002-10-31 at 12:13, Vincent Danen wrote:
> >
> > On Thursday, October 31, 2002, at 12:52 PM, Bill Beauchemin wrote:
> >
> > > Some idiot hacked my system using either the chunked-encoding bug in
> > > Apache or the OpenSSL vulnerability to gain access. He ised a rootkit
> > > called tc6. The file is called tc6b.tgz this kit will send out all your
> > > passwords used on the system hacked.
> >
> > Can I ask why you haven't been keeping up with updates? Both of these
> > vulnerabilities have been corrected in updates.
--
David Guntner GEnie: Just say NO!
http://www.akaMail.com/pgpkey/davidg or key server
for PGP Public key
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
