[GeoStL] Re: Rooted?
- From: Andy Sims <yutty_666@xxxxxxxxx>
- To: geocaching@xxxxxxxxxxxxx
- Date: Tue, 23 Dec 2003 05:43:51 -0800 (PST)
-
Well the defaced website says it has been rooted,
which means that the intruders have gained root access
to the machine. Root is the master user on a unix
machine. If this is the case then at the very least,
passwords need to be changed and files restored. It
could just be BS too. Maybe just the web server
software (apache?) was vulnerable, and maybe the
damage was just limited to that, but I don't know
enough about the machine to say what is what. They
busted in somehow. It was probably an automated
attack, some sort of worm.
Usually when something like this happens a clean
install of the OS with the most recent software is the
best answer. It not be necesary. Id try
http://www.chkrootkit.org/ first and see if it can be
cleaned up. The point of entry needs to be identified
as well. If the box is hardened, then it's probably
the web server software.
I port scan of the machine shows:
Starting nmap 3.30 ( http://www.insecure.org/nmap/ )
at 2003-12-23 07:36 CST
Interesting ports on 66.78.41.199:
(The 1628 ports scanned but not shown below are in
state: closed)
Port State Service
1/tcp open tcpmux
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
32/tcp open unknown
53/tcp open domain
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
143/tcp open imap2
443/tcp open https
465/tcp open smtps
993/tcp open imaps
995/tcp open pop3s
3306/tcp open mysql
6666/tcp open irc-serv
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.20 - 2.4.21 w/grsecurity.org
patch
Uptime 22.518 days (since Sun Nov 30 19:10:16 2003)
Nmap run completed -- 1 IP address (1 host up) scanned
in 20.443 seconds
root@yutty:/home/andy#
Port 111 should really be blocked on a machine out in
the wild, and if mysql does nothing but serve data to
(apache) then it should be blocked to the outside
world as well.
imap has serious security issues if it's not up to
date.
apache is allways being updated because of security
issues.
ftp is kind of redundant with ssh running seeing as
how putty supports sftp nowdays.
I could go on and on.
I'm not going to poke at the box any more than this
port scan unless someone tells me to.
Merry Christmas to us all.
Andy (Yutty)
--- Dave <d-a-v-e@xxxxxxxxxx> wrote:
> -
> What does it mean to be rooted?
>
> Do we simply need to replace files or change all the
> passwords?
>
> Dave
>
> Andy Sims wrote:
>
> > -
> >
> > Well I suppose it would considering the list is
> hosted
> > by freelists.org
> >
> > Duh, should have thought of that.
> >
> > Glen or whoever keeps the SLAGA site up, if you
> could
> > use some help cleaning up this mess let me know.
> >
> > What a bummer,
> >
> > Andy (Yutty)
> >
> > --- Andy Sims <yutty_666@xxxxxxxxx> wrote:
> > > -
> > >
> > > I just tried to visit the home page and it looks
> > > like
> > > the box has been cracked. I'm sending this to
> see
> > > if
> > > the list is still working.
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > New Yahoo! Photos - easier uploading and
> sharing.
> > > http://photos.yahoo.com/
> > >
> > >
> >
>
****************************************************************************
> > > Our WebPage! Http://WWW.GeoStL.com
> > > Mail List Info.
> > >
> >
>
//www.freelists.org/cgi-bin/list?list_id=geocaching
> > > Mail List FAQ's:
> > > //www.freelists.org/help/questions.html
> > >
> > >
> >
>
****************************************************************************
> > > To unsubscribe from this list:
> > > send an email to
> geocaching-request@xxxxxxxxxxxxx
> > > with 'unsubscribe' in the Subject field
> > >
> > >
> > >
> > >
> >
> > __________________________________
> > Do you Yahoo!?
> > New Yahoo! Photos - easier uploading and sharing.
> > http://photos.yahoo.com/
> >
>
****************************************************************************
> > Our WebPage! Http://WWW.GeoStL.com
> > Mail List Info.
>
//www.freelists.org/cgi-bin/list?list_id=geocaching
> > Mail List FAQ's:
> //www.freelists.org/help/questions.html
> >
>
****************************************************************************
> > To unsubscribe from this list:
> > send an email to geocaching-request@xxxxxxxxxxxxx
> with 'unsubscribe' in the Subject field
>
>
>
****************************************************************************
> Our WebPage! Http://WWW.GeoStL.com
> Mail List Info.
>
//www.freelists.org/cgi-bin/list?list_id=geocaching
> Mail List FAQ's:
> //www.freelists.org/help/questions.html
>
>
****************************************************************************
> To unsubscribe from this list:
> send an email to geocaching-request@xxxxxxxxxxxxx
> with 'unsubscribe' in the Subject field
>
>
>
>
__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/
****************************************************************************
Our WebPage! Http://WWW.GeoStL.com
Mail List Info. //www.freelists.org/cgi-bin/list?list_id=geocaching
Mail List FAQ's: //www.freelists.org/help/questions.html
****************************************************************************
To unsubscribe from this list:
send an email to geocaching-request@xxxxxxxxxxxxx with 'unsubscribe' in the
Subject field
Other related posts:
