LFS security problem: break-in

Thomas T. Veldhouse veldy at veldy.net
Wed Aug 16 06:17:12 PDT 2000


You need to contact the upstream provider about the problem and get his/her
account cancelled.  Traceroute is a great tool along with whois and
nslookup.

Tom Veldhouse
veldy at veldy.net

----- Original Message -----
From: Paul Jensen <pj at pcrentals.com>
To: <lfs-discuss at linuxfromscratch.org>
Sent: Wednesday, August 16, 2000 7:18 AM
Subject: LFS security problem: break-in


> While i was on vacation, the lfs1 server was broken into and and the
> intruder became root.  I discovered it the day I came back.
>
> I believe it was by way of the ftp deamon.  I have posted the intruder's
> files in a tarball in the /security directory (hack.tgz).  the log shows
> that the cracker could not install the softwate correctly and gives
> references to another server's ip address.  I have sent email to the
> server's owner, but have not gotten any response.
>
> As far as I can tell, no other files were modified.  I am asking the list
> for any help or expertise with this problem.
>
> This breakin shows me how easy it is to crack a server on the internet.
> I was running wu-ftpd-2.6.  Bugtrak came out with a warning around june 23
> and the break-in occurred while i was away on July 9, 18:38 central
> daylight time or 16:38 pacific time.  Entries in the system logs were
> erased in this time period also.
>
> This raises an issue: how can we protect our systems from buffer overflow
> attacks?  Firewalls will not prevent your server from beening cracked.
>
> I believe these issues are more important than any other for LFS.  It
> raises the main concern "why are we using lfs?"
>
> Two possible solutions are Stack Guard (http://immunix.org) and lids
> (Linux kernel based Instrusion Detection System).  This is available from
> lids.org.
>
> I realize Gerard is probably too busy to incorporate this in his book, so
> i will collect hints and problems concerning using these with lfs.
>
> paul jensen
> ftp/news/mail archive adm
> www.pcrdallas.com
>
>
> --
> Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
> IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
> Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
> "unsubscribe" (without the quotation marks) in the body of the message
> (no subject is required)
>

--
Mail archive: http://www.pcrdallas.com/mail-archives/lfs-discuss
IRC access: server: irc.linuxfromscratch.org port: 6667 channel: #LFS
Unsubscribe: email lfs-discuss-request at linuxfromscratch.org and put
"unsubscribe" (without the quotation marks) in the body of the message
(no subject is required)



More information about the lfs-dev mailing list