[TriLUG] invisible directories...
Jeffery Painter
painter at kiasoft.com
Tue Apr 22 01:39:51 EDT 2003
well, it was standard rh 8.0 install. vsftp was the ftp program running,
samba, apache, ssh, and tomcat were the only other networked apps running.
unfortunately the box is on a clients network and I don't have control
over their firewall... i locked down every other service. installed the
usual redhat errata fixes (i grabbed them from kickstart.linux.ncsu.edu)
so i think i was in the clear there.
in essence, i think i did everything a reasonable admin would do... it
wasn't until i installed portsentry that i started noticing the box was
getting bombarded with port scans. and i don't know if i will ever know
the exact way they found their way in... i discovered a hacked ssh running
and several of the binaries were replaced as mentioned.. luckily all my
data was in tact and i've moved developement to another box until i can
reinstall from scratch.
someone was damned persistent is all i can say :)
thanks for the pointers everyone though. makes me glad I run a backup
every hour :) just call me paranoid with good reason.
Jeff Painter
painter at kiasoft.com
On Tue, 22 Apr 2003, Gregory Woodbury wrote:
> "It was written once upon a time (by Turnpike Man):"
> >
> > Reading all this is kinda disturbing. I hate seeing this kind of crap going
> > on. Are there ways he could have prevented this, besides never plugging in to
> > a network? Was his FTP the most probable point of entry? If you find out how
> > they did it, I'd love to know, thanks and good luck jeff.
> >
> > David M.
>
> Installing a firewall, and keeping the system up to date are the primary
> defenses.
>
> I suspect that FTP might be the problem, especially if he is *not* using
> vsftpd. The selection of what server program to use, and keeping them
> up to date are critical.
>
> I once had a RH5.x box cracked via a BIND (DNS) exploit, but that was
> long ago and not so far away.
>
>
More information about the TriLUG
mailing list