LFS security problem: break-in
Greg T Hill
greghill at terranova.net
Wed Aug 16 03:25:11 PDT 2000
Thomas 'Balu' Walter wrote:
> +-Paul Jensen-(pj at pcrentals.com)-[16.08.00 14:38]:
> > While i was on vacation, the lfs1 server was broken into and and the
> > intruder became root. I discovered it the day I came back.
> > I believe it was by way of the ftp deamon. I have posted the intruder's
> > files in a tarball in the /security directory (hack.tgz). the log shows
> > that the cracker could not install the softwate correctly and gives
> > references to another server's ip address. I have sent email to the
> > server's owner, but have not gotten any response.
> > As far as I can tell, no other files were modified. I am asking the list
> > for any help or expertise with this problem.
> Don't even think of that. I strongly suggest to get the machine off the
> net and install it from scratch. Until you have a file-integrity-checker
> like tripwire running on your system you will never now if she installed
> any kind of rootkit or similar.
When my home server was cracked, the only clue in the logs was a report that
someone on bellsouth.net had tried to open a pop3 sever and been denied. I
assumed that whoever it was had blundered on me by mistake and didn't worry
about it, a couple of days later my system went into the toilet while I was
online. I didn't have a firewall at the time ( I thought they were for
commercial servers and such) and my distros setup had me running telnetd. Live
and learn...my point is that you can't believe your logs, the purpose may have
been to lull you into believing someone tried and failed.
Forgive me if this is a stupid question, but do we need an ftp server? Couldn't
files be downloaded via http? Would it be easier to secure?
Today is Pungenday, the 9th day of Bureaucracy in the YOLD 3166
Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)
More information about the lfs-dev