RE: Hacked

[dreamwvr <dreamwvr () dreamwvr com>]

hi,
  also check your 'tcp_wrappers'
                                                                Regards,
                                                                dreamwvr () dreamwvr com
At 02:47 PM 2/28/99 -0500, jonathan () leto net wrote:
> You didn't get hacked, you got script kiddied.
> Your running redhat right? The 2 most infamous redhat exploits are named and
> imap. There are scanners that search for just these 2 things, and they still
> find plenty. 
> First of all, NEVER use any type of default. Its defeating the purpose of
> linux, customize it. Make it do what you want to do. If this is just a
home box
> that you want to be able to get to, disable everything and install sshd.
Telnet
> is not secure. Make sure you get a brand spanking new ftp daemon, a couple
> weeks ago a big exploit was found in many of them. Or just be really 3leet
and
> pipe ftp though ssh.
>
> On 26-Feb-99 Steve wrote:
> > Hacked this last weekend or sometime.
> >
> > What I'm running:
> >
> > Linux 2.0.35 with ipfwadm, all defaults, added masq for 192.168.1.0 to
> > 0.0.0.0 to feed my home LAN to ppp through a little 56.6k dial up.
> >
> > How I found out:
> >
> > Tried to log in telnet from an inside machine, wouldn't allow me to log in
> > under any user name I had configured - root, col or steve.  Finally
rebooted
> > (Windows habit) and noticed that syslog couldn't write to any of the log
> > files and still couldn't log in.
> >
> > Long story short:
> >
> > Got the machine back up with a new hard drive (install fresh on the hacked
> > drive???!!!  Hell no!!!  It's evidence and possible clues as to
> > who/what/when/how - the whole deal.
> >
> > So I mount the drive and find a message in my root directory:
> >
> > hehe.idiot.fix.your.imap.and.feel.glad.i.didnt.rm-rf.everything
> >
> > imap, huh?  I knew I was running lots of services - it was a hacker's
dream,
> > most likely.  But this was at home, and it was quite sloppy.  But it did
its
> > purpose - my LAN *seems* okay - no evidence of any tampering, though it was
> > quite possible - again, from sloppiness.  Anyway, I have a real,
> > honest-to-goodness hacked drive over here - something live to study and
> > learn from.
> >
> > BTW - first thing I did was to check for messages, and, just as the
messages
> > on boot-up said, the log directory is gone.  First thing this weekend - I
> > will buy a computer for logging - do that transmission trick with the
> > wiring - wire a cable only with the what - 1 and 2 wires, so it would be
> > physically impossible for them to receive any feedback on the connection to
> > try to delete those files on the other machine.  (But I may wait until next
> > week - it's First Saturday down here in Dallas).
> >
> > Besides that, I'll be keeping that hard drive off the network, except to
> > look at it - I don't want anything to happen to it!  I just may do a dd get
> > a backup while I'm at it.
> >
> > I'm writing to share my experience, get some feedback and learn.  I'd love
> > to hear from anyone with ideas on what to look for on that drive, and
> > anything else that comes to mind.
> >
> > Finally, am I ashamed to be writing this?  No way!!!  I love this!  It's
all
> > just a game, and I love to play . . .
>
>
> --] jonathan () leto net [--
> --] 28-Feb-99 14:39:45[--
Reuters, London, February 29, 1998: 
Scientists have announced discovering a meteorite which will strike the 
earth in March, 2028.  Millions of UNIX coders expressed relief for being 
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

DREAMWVR.COM - TOTAL WEB INTEGRATION, DEVELOPMENT, DESIGN SERVICES. 
Featuring Website Development and Web Strategies of a TOP Developer 
New Look and Feel... Coming to a Browser near you..:) 
<http://www.dreamwvr.com/services/MAX_SEC.html><-- Road Improvements
DREAMWVR.COM - The Console of Many... 24 X 7 Evolution Internet
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvr () dreamwvr com>
"As Unique as the Company You Keep."        "===0 PGP Key Available  
________________________________________________________________________