Hi all, I just recently set up a RH 9 sever (less than a week ago), and it has already been hacked. I know I'm going to have to reinstall, but I was hoping to find out what vulnerability was exploited so it doesn't happen again next time. I don't think any passwords were cracked. They must have used some other known exploit. But which one?
Here's what I know. It looks like they installed some sort of IRC relay. It also seems that they tampered with sshd and samba. Some of the packages from the rootkit they used include kool.tar.gz, psybnc.tar.gz, rkid.tar.gz, and smas.tgz (there may be others). Does anyone know what these do? Syslog was also tampered with (this was my first clue). Chkrootkit shows ifconfig, login, and pstree as infected. So my question is, how did they get root? Well, I guess they used this rootkit, but how did they manage to install that? Where is the vulnerability? If anyone has any suggestions of what to look for before I wipe out this box, it would be greatly appreciated. Aloha, Rob