Bob,
Right now the three biggest security threats to Linux are...
1/ not having wu-ftpd installed with the latest fixed version
wu-ftpd-2.6.1-7mdk
2/ using sunrpc port 111 for NFS (stat.d exploit)
3/ using an older version of bind/named (DNS)
Get rid of wu-ftpd and install proftpd. Works great in 7.1.
Tom Berkley
"Bob Puff@NLE" wrote:
Hi gang,
Last night, my webserver machine (Mandrake 7.1) was "defaced". The
hacker got root access, and uploaded a script that went into every
virtual host and replaced the index.htm(l) file
Hi gang,
Last night, my webserver machine (Mandrake 7.1) was "defaced". The
hacker got root access, and uploaded a script that went into every
virtual host and replaced the index.htm(l) file with his own file. His
"defacement" included his email, and a link to his site:
PROTECTED]
Subject: [expert] I'VE BEEN HACKED!!! Need upgraded wu-ftp for 7.1
Hi gang,
Last night, my webserver machine (Mandrake 7.1) was "defaced". The
hacker got root access, and uploaded a script that went into every
virtual host and replaced the index.htm(l) file wit
When I ran an FTP server last year I avoided wu-ftp like the plague. I found proftpd
much faster and it has less holes. It also was easier (for me) to configure.
As always, YMMV
http://www.proftpd.net/
*** REPLY SEPARATOR ***
On 11/28/2000 at 10:07 PM Bob Puff@NLE
Hi,
think, you are NOT hacked, because on one of my LM-Boxes, which is NOT
connected to the internet directly, I get the same mail-listing every night.
But I've NOT found any usefully explanation yet.
My msec-level is 3 on this box.
bye
Hans Schneidhofer
Am Die, 25 Apr 2000 schrieben Sie:
I
Well one way to check would be to do:
rpm -qa | awk '{ print "rpm --verify " $1}' | sh
This would essentially tell you which files differ from the origianl
installation. There will be lots of complaints.
You could also try to:
rpm -qa | awk '{ print "rpm -- --force --nodeps " $1}' | sh
You can use rpm to check the packages affected, and then reinstall
these package.
For example, the following steps find the package, verify the package,
and if affected, reinstall the package from CDROM
# rpm -qf /bin/mount
mount-2.9o-1
# rpm -V mount
# rpm -U --force mount-*rpm
Anyway, you
If that's the case, then why does the report say that there's a
*difference* in the suid root files? Why does it claim that all of
those are *changed*? It doesn't merely claim that they *are* suid root;
it claims that they *changed*.
Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 ***
Andrew,
The solution I use is to assume the worst. Your system has been totally compromised
as has every system that trusts it. (Do you use rlogin, rsh or do you have ssh keys
laying around on that system?)
The first thing you need to do is to grab a complete image of the disk(s) to tape
"Brian T. Schellenberger" wrote:
If that's the case, then why does the report say that there's a
*difference* in the suid root files? Why does it claim that all of
those are *changed*? It doesn't merely claim that they *are* suid root;
it claims that they *changed*.
My apologies. You
Ron, re-read the message. It specifically says that file the shouldn't be suid
have been changed to suid since the last scan.
For instance, mount, su, and umount should never be suid. They aren't installed
that way, so "something" had to change them.
Even if it wasn't a hack job, there are many
Sorry, but mout, su, and umount should be suid.
A rpm -Va can find all files changed since installation.
Monday, April 24, 2000, 11:08:42 PM, you wrote:
RJ Ron, re-read the message. It specifically says that file the shouldn't be suid
RJ have been changed to suid since the last scan.
RJ For
On Mon, 24 Apr 2000 08:08:42 -0700, you wrote:
Ron, re-read the message. It specifically says that file the shouldn't be suid
have been changed to suid since the last scan.
For instance, mount, su, and umount should never be suid. They aren't installed
that way, so "something" had to change
Yes this was not a hack... my files are in the same condition even after
reinstalling the RPMS to be sure... the reason it said it changed was
likely because you upgraded an RPM and it changed it for you, or this was
the first time the security scan was run. But now I do have to ask... why
does
But now I do have to ask... why
does ping need to be suid root? and why do some of the other files he
listed have to be suid as well??
From a Solaris box (I don't have linux installed):
{2} q2ir@jupiter [~] ls -l `which ping`
-r-sr-xr-x 1 root bin20404 Oct 6 1998
I don't have /sbin/dump; /sbin/restore and /usr/bin/sperl5.6.0 installed. Other
than that, all files in the following list are suid.
Subject: *** Diff Check, Thu Apr 20 00:02:50 EDT 2000 ***
Security Warning: Change in Suid Root files found :
- Added suid root files :
Actually, I suspect it is just a fuss :-)
Security check is scheduled to run in localtime 24:00 or say 00:00, so
if you are lazy and usually sleep early and shutdown the machine when
you sleep like a babe pig, you have no chance to have it run. And now,
by chances, you sleep a little late and
Well, take a good look too, as I was wrong about the three files I specifically
mentioned.
I'd still recommend tripwire (free version available at www.tripwire.com) to check for
changes on important files.
Russ
Andrew Vogel wrote:
On Mon, 24 Apr 2000 08:08:42 -0700, you wrote:
Ron, re-read
I've found a similar emails in my system. It's impossible that someone hacked
into my system, because I connect to the internet via dialup, I don't stay
connected enough time connected for someone to hack in and my internet logins
are at random times during the day. I guess these messages are
First thing to do is go thru your file system and see what's new/missing. I
know that warez pirates will often open up a machine so that it can be used as
storage for thier pirate programs.
Ty C. Mixon
F.T.C. Enterprises
[EMAIL PROTECTED]
ICQ 26147713
If you don't know what the files were before, and you don't have a backup, the best
fix will be a clean reinstall.
To prevent it, set up a good firewall.
As extra protection, use something like tripwire to ensure that your files don't
change. The advantage to tripwire is that it can tell you
The easiest fastest way to fix it is to re-install the O/S (not an
upgrade, an install). This might not be a big deal if you have /home
and /usr/local on separate partitions and you've not customized
elsewhere much and/or if you keep frequent backups, orit might be a big
deal.
Nothing short
Andrew Vogel wrote:
I woke up this morning to find this email in my system:
...
I've been hacked! The questions, now, are: 1. How do I fix this? and 2. How
to I prevent it from happening again?
No you haven't! This is just the periodic report done on your
system security by your own msec
24 matches
Mail list logo
