LFS security problem: break-in
Thomas T. Veldhouse
veldy at veldy.net
Wed Aug 16 06:17:12 PDT 2000
You need to contact the upstream provider about the problem and get his/her
account cancelled. Traceroute is a great tool along with whois and
veldy at veldy.net
----- Original Message -----
From: Paul Jensen <pj at pcrentals.com>
To: <lfs-discuss at linuxfromscratch.org>
Sent: Wednesday, August 16, 2000 7:18 AM
Subject: LFS security problem: break-in
> While i was on vacation, the lfs1 server was broken into and and the
> intruder became root. I discovered it the day I came back.
> I believe it was by way of the ftp deamon. I have posted the intruder's
> files in a tarball in the /security directory (hack.tgz). the log shows
> that the cracker could not install the softwate correctly and gives
> references to another server's ip address. I have sent email to the
> server's owner, but have not gotten any response.
> As far as I can tell, no other files were modified. I am asking the list
> for any help or expertise with this problem.
> This breakin shows me how easy it is to crack a server on the internet.
> I was running wu-ftpd-2.6. Bugtrak came out with a warning around june 23
> and the break-in occurred while i was away on July 9, 18:38 central
> daylight time or 16:38 pacific time. Entries in the system logs were
> erased in this time period also.
> This raises an issue: how can we protect our systems from buffer overflow
> attacks? Firewalls will not prevent your server from beening cracked.
> I believe these issues are more important than any other for LFS. It
> raises the main concern "why are we using lfs?"
> Two possible solutions are Stack Guard (http://immunix.org) and lids
> (Linux kernel based Instrusion Detection System). This is available from
> I realize Gerard is probably too busy to incorporate this in his book, so
> i will collect hints and problems concerning using these with lfs.
> paul jensen
> ftp/news/mail archive adm
> Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
> IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
> Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
> "unsubscribe" (without the quotation marks) in the body of the message
> (no subject is required)
Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)
More information about the lfs-dev