Re: [expert] Ive been hacked!
Lyvim Xaphir wrote: On Thu, 2002-10-31 at 15:26, Bill Beauchemin wrote: I wasa running a much older version of apache and openssl that i thought were ok but no I guess this hack works with even the old stuff. I also didnt think somebody would be interested in my little private home email and web server. Oh well I learned my lesson. Now I ogts to go and get the apache, openssl, and the modssl patches. The internet is much too large to go plucking IP's out of the air and hoping that they are interesting. What happens is that the kiddie scripts scan whole subnets for ip's with known and gross vulnerability signatures. Then they kindly compile a list of interesting IP's, sometimes filtered by the vunerability that the cracker/kiddie is looking for (because that's the one they have the intrusion tools for). Then they just use the intrusion tools on the IP's with the most interesting vulnerability signatures. LX and thats the sad part. the sorry shits don't even have the motivation to do it themselves. they rely on something someone else has worked on and debugged. They really are a sorry bunch. Mark Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Ive been hacked!
On Thu, 2002-10-31 at 15:26, Bill Beauchemin wrote: > I wasa running a much older version of apache and openssl that i thought > were ok but no I guess this hack works with even the old stuff. > I also didnt think somebody would be interested in my little private > home email and web server. Oh well I learned my lesson. Now I ogts to go > and get the apache, openssl, and the modssl patches. > The internet is much too large to go plucking IP's out of the air and hoping that they are interesting. What happens is that the kiddie scripts scan whole subnets for ip's with known and gross vulnerability signatures. Then they kindly compile a list of interesting IP's, sometimes filtered by the vunerability that the cracker/kiddie is looking for (because that's the one they have the intrusion tools for). Then they just use the intrusion tools on the IP's with the most interesting vulnerability signatures. LX -- °°° Kernel 2.4.18-6mdk Mandrake Linux 8.2 Enlightenment 0.16.5-11mdkEvolution 1.0.2-5mdk Registered Linux User #268899 http://counter.li.org/ °°° Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Ive been hacked!
Always assume you will be hacked... cause you will.. James On Thu, 2002-10-31 at 14:40, Todd Lyons wrote: > Bill Beauchemin wrote on Thu, Oct 31, 2002 at 12:26:27PM -0800 : > > I wasa running a much older version of apache and openssl that i thought > > were ok but no I guess this hack works with even the old stuff. > > I also didnt think somebody would be interested in my little private > > home email and web server. Oh well I learned my lesson. Now I ogts to go > > That's the fallacy. The issue is that noone _WAS_ interested in your > little private email and web server. It was part of an automated scan. > Put another way, IF YOU ARE CONNECTED FULL TIME TO THE INTERNET, YOU > WILL BE SCANNED. Do not make it easy for them by putting a box out > there with known vulnerabilities. > > Blue skies... Todd > -- > ...and I will strike down upon thee with great vengeance and furious > anger, those who attempt to poison and destroy my binaries, and you > will know my name is root, when I lay my vengeance upon thee. >Cooker Version mandrake-release-9.1-0.1mdk Kernel 2.4.19-16mdk Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Ive been hacked!
Bill Beauchemin wrote on Thu, Oct 31, 2002 at 12:26:27PM -0800 : > I wasa running a much older version of apache and openssl that i thought > were ok but no I guess this hack works with even the old stuff. > I also didnt think somebody would be interested in my little private > home email and web server. Oh well I learned my lesson. Now I ogts to go That's the fallacy. The issue is that noone _WAS_ interested in your little private email and web server. It was part of an automated scan. Put another way, IF YOU ARE CONNECTED FULL TIME TO THE INTERNET, YOU WILL BE SCANNED. Do not make it easy for them by putting a box out there with known vulnerabilities. Blue skies... Todd -- ...and I will strike down upon thee with great vengeance and furious anger, those who attempt to poison and destroy my binaries, and you will know my name is root, when I lay my vengeance upon thee. Cooker Version mandrake-release-9.1-0.1mdk Kernel 2.4.19-16mdk msg60361/pgp0.pgp Description: PGP signature
RE: [expert] Ive been hacked!
yeah, it happened to me years ago, on a redhat 6.1 system using wu-ftp...
ended up with 10 users I didn't put there, and they deleted the login stuff,
so I
couldn't even login... and there was alot of bitchx sessions happening on
the box..
It had even been used as an IRC server
I learned my lesson in a big way.
I've been paranoid ever since
rgds
Frank
-Original Message-
From: [EMAIL PROTECTED]
[mailto:expert-owner@;linux-mandrake.com]On Behalf Of Vincent Danen
Sent: Friday, 1 November 2002 5:05 AM
To: [EMAIL PROTECTED]
Subject: Re: [expert] Ive been hacked!
On Thursday, October 31, 2002, at 01:26 PM, Bill Beauchemin wrote:
> I wasa running a much older version of apache and openssl that i
> thought
> were ok but no I guess this hack works with even the old stuff.
> I also didnt think somebody would be interested in my little private
> home email and web server. Oh well I learned my lesson. Now I ogts to
> go
> and get the apache, openssl, and the modssl patches.
A few tips. First, the updates are there to fix problems in older
versions. Chances are, if there is an update for it, it's because you
*need* it. We don't make updates just for kicks, and we don't provide
updates for software that isn't vulnerable. IIRC, if you were running
apache 1.0, you would need the update.
Secondly, your private home email/web server is a preferred target.
Why? Because of exactly your thinking. "No one will be interested in
it". It is much easier to hack into someone's machine with a
laxidazy(sp?) attitude towards security. It also helps to hide the
trail. If someone can hack into your machine, and then use it as a
springboard to the machine they *really* want, the better for them. To
the end victim, it looks like the attack is coming from you, which it
is. That means they will attempt to deal with *you*, rather than the
real perpetrator. To that end, yes, it's more appealing to someone
wanting to break into amazon.com, to break into your machine first. Or
four machines, similar to yours, springboarding from one machine to the
next, hiding their trail, until the end of the line machine (after
having accomplished four hops or so) is used to attack the real target.
The short and long of it is: Never *ever* assume you will not be a
target. They may not be interested in your data, but they may be
interested in your connection, CPU, etc. And update update *update*!
Updates are done for your benefit, not ours.
I know it sucks to have this happen to you, but hopefully this will
serve as a lesson both to yourself and many other people who have had
the same attitude as you. =)
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx - source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Ive been hacked!
On Thursday, October 31, 2002, at 01:26 PM, Bill Beauchemin wrote:
I wasa running a much older version of apache and openssl that i
thought
were ok but no I guess this hack works with even the old stuff.
I also didnt think somebody would be interested in my little private
home email and web server. Oh well I learned my lesson. Now I ogts to
go
and get the apache, openssl, and the modssl patches.
A few tips. First, the updates are there to fix problems in older
versions. Chances are, if there is an update for it, it's because you
*need* it. We don't make updates just for kicks, and we don't provide
updates for software that isn't vulnerable. IIRC, if you were running
apache 1.0, you would need the update.
Secondly, your private home email/web server is a preferred target.
Why? Because of exactly your thinking. "No one will be interested in
it". It is much easier to hack into someone's machine with a
laxidazy(sp?) attitude towards security. It also helps to hide the
trail. If someone can hack into your machine, and then use it as a
springboard to the machine they *really* want, the better for them. To
the end victim, it looks like the attack is coming from you, which it
is. That means they will attempt to deal with *you*, rather than the
real perpetrator. To that end, yes, it's more appealing to someone
wanting to break into amazon.com, to break into your machine first. Or
four machines, similar to yours, springboarding from one machine to the
next, hiding their trail, until the end of the line machine (after
having accomplished four hops or so) is used to attack the real target.
The short and long of it is: Never *ever* assume you will not be a
target. They may not be interested in your data, but they may be
interested in your connection, CPU, etc. And update update *update*!
Updates are done for your benefit, not ours.
I know it sucks to have this happen to you, but hopefully this will
serve as a lesson both to yourself and many other people who have had
the same attitude as you. =)
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx - source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
PGP.sig
Description: PGP signature
Re: [expert] Ive been hacked!
Bill Beauchemin grabbed a keyboard and wrote: > > I wasa running a much older version of apache and openssl that i thought > were ok but no I guess this hack works with even the old stuff. > I also didnt think somebody would be interested in my little private > home email and web server. *Never* make that assumption. Of course, I guess you already know that now. > Oh well I learned my lesson. Now I ogts to go > and get the apache, openssl, and the modssl patches. One problem with a hack like this is: What else got installed during the compromise? The only way you can be sure that you're safe now is to reformat all partitions and reinstall from scratch. Simply getting rid of the stuff that you've found won't guarantee that you've gotten everything that may have been installed during the compromise period - other back doors may have been installed. Live and learn: If you're online, you're a target. Keep your packages up to date with bug and security fixes. There's a security announce list being run by Mandrake; you might want to subscribe to it. It's low-volume, and only has postings from Mandrake when a security fix comes out so that you'll know to install it. It's worth it. Good luck with getting your system back together! --Dave > On Thu, 2002-10-31 at 12:13, Vincent Danen wrote: > > > > On Thursday, October 31, 2002, at 12:52 PM, Bill Beauchemin wrote: > > > > > Some idiot hacked my system using either the chunked-encoding bug in > > > Apache or the OpenSSL vulnerability to gain access. He ised a rootkit > > > called tc6. The file is called tc6b.tgz this kit will send out all your > > > passwords used on the system hacked. > > > > Can I ask why you haven't been keeping up with updates? Both of these > > vulnerabilities have been corrected in updates. -- David Guntner GEnie: Just say NO! http://www.akaMail.com/pgpkey/davidg or key server for PGP Public key Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Ive been hacked!
Thanks for the heads-up! Ken On Thu, 2002-10-31 at 14:52, Bill Beauchemin wrote: > Some idiot hacked my system using either the chunked-encoding bug in > Apache or the OpenSSL vulnerability to gain access. He ised a rootkit > called tc6. The file is called tc6b.tgz this kit will send out all your > passwords used on the system hacked. > Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [expert] Ive been hacked!
I wasa running a much older version of apache and openssl that i thought
were ok but no I guess this hack works with even the old stuff.
I also didnt think somebody would be interested in my little private
home email and web server. Oh well I learned my lesson. Now I ogts to go
and get the apache, openssl, and the modssl patches.
On Thu, 2002-10-31 at 12:13, Vincent Danen wrote:
>
> On Thursday, October 31, 2002, at 12:52 PM, Bill Beauchemin wrote:
>
> > Some idiot hacked my system using either the chunked-encoding bug in
> > Apache or the OpenSSL vulnerability to gain access. He ised a rootkit
> > called tc6. The file is called tc6b.tgz this kit will send out all your
> > passwords used on the system hacked.
>
> Can I ask why you haven't been keeping up with updates? Both of these
> vulnerabilities have been corrected in updates.
>
> --
> MandrakeSoft Security; http://www.mandrakesecure.net/
> "lynx - source http://linsec.ca/vdanen.asc | gpg --import"
> {FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
>
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Re: [expert] Ive been hacked!
On Thursday, October 31, 2002, at 12:52 PM, Bill Beauchemin wrote:
Some idiot hacked my system using either the chunked-encoding bug in
Apache or the OpenSSL vulnerability to gain access. He ised a rootkit
called tc6. The file is called tc6b.tgz this kit will send out all your
passwords used on the system hacked.
Can I ask why you haven't been keeping up with updates? Both of these
vulnerabilities have been corrected in updates.
--
MandrakeSoft Security; http://www.mandrakesecure.net/
"lynx - source http://linsec.ca/vdanen.asc | gpg --import"
{FE6F2AFD: 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD}
PGP.sig
Description: PGP signature
[expert] Ive been hacked!
Some idiot hacked my system using either the chunked-encoding bug in Apache or the OpenSSL vulnerability to gain access. He ised a rootkit called tc6. The file is called tc6b.tgz this kit will send out all your passwords used on the system hacked. There is a hidden directory /usr/bin/util that it creates and stores all the programs. There is a file named voodoo that has all the passwords in it. Check your /etc/initab file and look for a line that contains initcheck. that is the bad boy. this kit setup sshd on whatever port they want and whatever passwd. mine was port 54321 with a passwd of oo7oo7 You may want to do a lsmod and look for libldb.so.1 and libldb.so.2 Do not rmmod these puppies as this will crash your system. symply comment out the line in your inittab file and reboot. this will allow you to remove everything and all the hiden files and diretories can be safely removed. Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
