[GeoStL] Re: Rooted?

• From: "Jim Bensman" <jbensman1@xxxxxxxxxxx>
• To: <geocaching@xxxxxxxxxxxxx>
• Date: Tue, 23 Dec 2003 09:49:42 -0600

-
What are you talking about?  geostl.com looks fine to me.

> -----Original Message-----
> From: geocaching-bounce@xxxxxxxxxxxxx
> [mailto:geocaching-bounce@xxxxxxxxxxxxx]On Behalf Of Andy Sims
> Sent: Tuesday, December 23, 2003 7:44 AM
> To: geocaching@xxxxxxxxxxxxx
> Subject: [GeoStL] Re: Rooted?
> 
> 
> -
> Well the defaced website says it has been rooted,
> which means that the intruders have gained root access
> to the machine.  Root is the master user on a unix
> machine.  If this is the case then at the very least,
> passwords need to be changed and files restored.  It
> could just be BS too.  Maybe just the web server
> software (apache?) was vulnerable, and maybe the
> damage was just limited to that, but I don't know
> enough about the machine to say what is what.  They
> busted in somehow.  It was probably an automated
> attack, some sort of worm.
> 
> Usually when something like this happens a clean
> install of the OS with the most recent software is the
> best answer.  It not be necesary.  Id try
> http://www.chkrootkit.org/ first and see if it can be
> cleaned up.  The point of entry needs to be identified
> as well.  If the box is hardened, then it's probably
> the web server software.
> 
> I port scan of the machine shows:
> 
> Starting nmap 3.30 ( http://www.insecure.org/nmap/ )
> at 2003-12-23 07:36 CST
> Interesting ports on 66.78.41.199:
> (The 1628 ports scanned but not shown below are in
> state: closed)
> Port       State       Service
> 1/tcp      open        tcpmux
> 21/tcp     open        ftp
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 32/tcp     open        unknown
> 53/tcp     open        domain
> 80/tcp     open        http
> 110/tcp    open        pop-3
> 111/tcp    open        sunrpc
> 143/tcp    open        imap2
> 443/tcp    open        https
> 465/tcp    open        smtps
> 993/tcp    open        imaps
> 995/tcp    open        pop3s
> 3306/tcp   open        mysql
> 6666/tcp   open        irc-serv
> Device type: general purpose
> Running: Linux 2.4.X
> OS details: Linux 2.4.20 - 2.4.21 w/grsecurity.org
> patch
> Uptime 22.518 days (since Sun Nov 30 19:10:16 2003)
>  
> Nmap run completed -- 1 IP address (1 host up) scanned
> in 20.443 seconds
> root@yutty:/home/andy#
> 
> Port 111 should really be blocked on a machine out in
> the wild, and if mysql does nothing but serve data to
> (apache) then it should be blocked to the outside
> world as well.
> 
> imap has serious security issues if it's not up to
> date.
> 
> apache is allways being updated because of security
> issues.
> 
> ftp is kind of redundant with ssh running seeing as
> how putty supports sftp nowdays.
> 
> I could go on and on.
> 
> I'm not going to poke at the box any more than this
> port scan unless someone tells me to.
> 
> Merry Christmas to us all.
> 
> Andy (Yutty)
> 
> --- Dave <d-a-v-e@xxxxxxxxxx> wrote:
> > -
> > What does it mean to be rooted?
> > 
> > Do we simply need to replace files or change all the
> > passwords?
> > 
> > Dave
> > 
> > Andy Sims wrote:
> > 
> > > -
> > >
> > > Well I suppose it would considering the list is
> > hosted
> > > by freelists.org
> > >
> > > Duh, should have thought of that.
> > >
> > > Glen or whoever keeps the SLAGA site up, if you
> > could
> > > use some help cleaning up this mess let me know.
> > >
> > > What a bummer,
> > >
> > > Andy (Yutty)
> > >
> > > --- Andy Sims <yutty_666@xxxxxxxxx> wrote:
> > > > -
> > > >
> > > > I just tried to visit the home page and it looks
> > > > like
> > > > the box has been cracked.  I'm sending this to
> > see
> > > > if
> > > > the list is still working.
> > > >
> > > > __________________________________
> > > > Do you Yahoo!?
> > > > New Yahoo! Photos - easier uploading and
> > sharing.
> > > > http://photos.yahoo.com/
> > > >
> > > >
> > >
> >
> ******************************************************************
> **********
> > > >  Our WebPage!  Http://WWW.GeoStL.com
> > > >  Mail List Info.
> > > >
> > >
> >
> //www.freelists.org/cgi-bin/list?list_id=geocaching
> > > >  Mail List FAQ's:
> > > > //www.freelists.org/help/questions.html
> > > >
> > > >
> > >
> >
> ******************************************************************
> **********
> > > > To unsubscribe from this list:
> > > >  send an email to
> > geocaching-request@xxxxxxxxxxxxx
> > > > with 'unsubscribe' in the Subject field
> > > >
> > > >
> > > >
> > > >
> > >
> > > __________________________________
> > > Do you Yahoo!?
> > > New Yahoo! Photos - easier uploading and sharing.
> > > http://photos.yahoo.com/
> > > 
> >
> ******************************************************************
> **********
> > >  Our WebPage!  Http://WWW.GeoStL.com
> > >  Mail List Info.
> >
> //www.freelists.org/cgi-bin/list?list_id=geocaching
> > >  Mail List FAQ's:
> > //www.freelists.org/help/questions.html
> > > 
> >
> ******************************************************************
> **********
> > > To unsubscribe from this list:
> > >  send an email to geocaching-request@xxxxxxxxxxxxx
> > with 'unsubscribe' in the Subject field
> > 
> > 
> >
> ******************************************************************
> **********
> >  Our WebPage!  Http://WWW.GeoStL.com  
> >  Mail List Info.
> >
> //www.freelists.org/cgi-bin/list?list_id=geocaching
> >  Mail List FAQ's:
> > //www.freelists.org/help/questions.html 
> > 
> >
> ******************************************************************
> **********
> > To unsubscribe from this list:
> >  send an email to geocaching-request@xxxxxxxxxxxxx
> > with 'unsubscribe' in the Subject field
> > 
> > 
> > 
> > 
> 
> 
> __________________________________
> Do you Yahoo!?
> New Yahoo! Photos - easier uploading and sharing.
> http://photos.yahoo.com/
>  
> ******************************************************************
> **********
>  Our WebPage!  Http://WWW.GeoStL.com  
>  Mail List Info. //www.freelists.org/cgi-bin/list?list_id=geocaching
>  Mail List FAQ's: //www.freelists.org/help/questions.html 
>  
> ******************************************************************
> **********
> To unsubscribe from this list:
>  send an email to geocaching-request@xxxxxxxxxxxxx with 
> 'unsubscribe' in the Subject field
> 
> 
> 
> 
> 

 ****************************************************************************
 Our WebPage!  Http://WWW.GeoStL.com  
 Mail List Info. //www.freelists.org/cgi-bin/list?list_id=geocaching
 Mail List FAQ's: //www.freelists.org/help/questions.html 
 ****************************************************************************
To unsubscribe from this list:
 send an email to geocaching-request@xxxxxxxxxxxxx with 'unsubscribe' in the 
Subject field

• Follow-Ups:
  • [GeoStL] Re: Rooted?
    • From: Chris Binder

• References:
  • [GeoStL] Re: Rooted?
    • From: Andy Sims

Other related posts:

• » [GeoStL] Rooted?
• » [GeoStL] Re: Rooted?
• » [GeoStL] Re: Rooted?
• » [GeoStL] Re: Rooted?
• » [GeoStL] Re: Rooted?
• » [GeoStL] Re: Rooted?
• » [GeoStL] Re: Rooted?
• » [GeoStL] Re: Rooted?
• » [GeoStL] Re: Rooted?
• » [GeoStL] Re: Rooted?

1. Home
2. geocaching
3. Archive
4. 12-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---