- Everything looks perfectly fine, although I haven't been there in awhile. How did you find out it was rooted? Wouldn't a regular hacker deface the site more? ~Chris ----- Original Message ----- From: "Jim Bensman" <jbensman1@xxxxxxxxxxx> To: <geocaching@xxxxxxxxxxxxx> Sent: Tuesday, December 23, 2003 9:49 AM Subject: [GeoStL] Re: Rooted? > - > What are you talking about? geostl.com looks fine to me. > > > -----Original Message----- > > From: geocaching-bounce@xxxxxxxxxxxxx > > [mailto:geocaching-bounce@xxxxxxxxxxxxx]On Behalf Of Andy Sims > > Sent: Tuesday, December 23, 2003 7:44 AM > > To: geocaching@xxxxxxxxxxxxx > > Subject: [GeoStL] Re: Rooted? > > > > > > - > > Well the defaced website says it has been rooted, > > which means that the intruders have gained root access > > to the machine. Root is the master user on a unix > > machine. If this is the case then at the very least, > > passwords need to be changed and files restored. It > > could just be BS too. Maybe just the web server > > software (apache?) was vulnerable, and maybe the > > damage was just limited to that, but I don't know > > enough about the machine to say what is what. They > > busted in somehow. It was probably an automated > > attack, some sort of worm. > > > > Usually when something like this happens a clean > > install of the OS with the most recent software is the > > best answer. It not be necesary. Id try > > http://www.chkrootkit.org/ first and see if it can be > > cleaned up. The point of entry needs to be identified > > as well. If the box is hardened, then it's probably > > the web server software. > > > > I port scan of the machine shows: > > > > Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) > > at 2003-12-23 07:36 CST > > Interesting ports on 66.78.41.199: > > (The 1628 ports scanned but not shown below are in > > state: closed) > > Port State Service > > 1/tcp open tcpmux > > 21/tcp open ftp > > 22/tcp open ssh > > 25/tcp open smtp > > 32/tcp open unknown > > 53/tcp open domain > > 80/tcp open http > > 110/tcp open pop-3 > > 111/tcp open sunrpc > > 143/tcp open imap2 > > 443/tcp open https > > 465/tcp open smtps > > 993/tcp open imaps > > 995/tcp open pop3s > > 3306/tcp open mysql > > 6666/tcp open irc-serv > > Device type: general purpose > > Running: Linux 2.4.X > > OS details: Linux 2.4.20 - 2.4.21 w/grsecurity.org > > patch > > Uptime 22.518 days (since Sun Nov 30 19:10:16 2003) > > > > Nmap run completed -- 1 IP address (1 host up) scanned > > in 20.443 seconds > > root@yutty:/home/andy# > > > > Port 111 should really be blocked on a machine out in > > the wild, and if mysql does nothing but serve data to > > (apache) then it should be blocked to the outside > > world as well. > > > > imap has serious security issues if it's not up to > > date. > > > > apache is allways being updated because of security > > issues. > > > > ftp is kind of redundant with ssh running seeing as > > how putty supports sftp nowdays. > > > > I could go on and on. > > > > I'm not going to poke at the box any more than this > > port scan unless someone tells me to. > > > > Merry Christmas to us all. > > > > Andy (Yutty) > > > > --- Dave <d-a-v-e@xxxxxxxxxx> wrote: > > > - > > > What does it mean to be rooted? > > > > > > Do we simply need to replace files or change all the > > > passwords? > > > > > > Dave > > > > > > Andy Sims wrote: > > > > > > > - > > > > > > > > Well I suppose it would considering the list is > > > hosted > > > > by freelists.org > > > > > > > > Duh, should have thought of that. > > > > > > > > Glen or whoever keeps the SLAGA site up, if you > > > could > > > > use some help cleaning up this mess let me know. > > > > > > > > What a bummer, > > > > > > > > Andy (Yutty) > > > > > > > > --- Andy Sims <yutty_666@xxxxxxxxx> wrote: > > > > > - > > > > > > > > > > I just tried to visit the home page and it looks > > > > > like > > > > > the box has been cracked. I'm sending this to > > > see > > > > > if > > > > > the list is still working. > > > > > > > > > > __________________________________ > > > > > Do you Yahoo!? > > > > > New Yahoo! Photos - easier uploading and > > > sharing. > > > > > http://photos.yahoo.com/ > > > > > > > > > > > > > > > > > > > ****************************************************************** > > ********** > > > > > Our WebPage! Http://WWW.GeoStL.com > > > > > Mail List Info. > > > > > > > > > > > > > > //www.freelists.org/cgi-bin/list?list_id=geocaching > > > > > Mail List FAQ's: > > > > > //www.freelists.org/help/questions.html > > > > > > > > > > > > > > > > > > > ****************************************************************** > > ********** > > > > > To unsubscribe from this list: > > > > > send an email to > > > geocaching-request@xxxxxxxxxxxxx > > > > > with 'unsubscribe' in the Subject field > > > > > > > > > > > > > > > > > > > > > > > > > > > > __________________________________ > > > > Do you Yahoo!? > > > > New Yahoo! Photos - easier uploading and sharing. > > > > http://photos.yahoo.com/ > > > > > > > > > ****************************************************************** > > ********** > > > > Our WebPage! Http://WWW.GeoStL.com > > > > Mail List Info. > > > > > //www.freelists.org/cgi-bin/list?list_id=geocaching > > > > Mail List FAQ's: > > > //www.freelists.org/help/questions.html > > > > > > > > > ****************************************************************** > > ********** > > > > To unsubscribe from this list: > > > > send an email to geocaching-request@xxxxxxxxxxxxx > > > with 'unsubscribe' in the Subject field > > > > > > > > > > > ****************************************************************** > > ********** > > > Our WebPage! Http://WWW.GeoStL.com > > > Mail List Info. > > > > > //www.freelists.org/cgi-bin/list?list_id=geocaching > > > Mail List FAQ's: > > > //www.freelists.org/help/questions.html > > > > > > > > ****************************************************************** > > ********** > > > To unsubscribe from this list: > > > send an email to geocaching-request@xxxxxxxxxxxxx > > > with 'unsubscribe' in the Subject field > > > > > > > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > New Yahoo! Photos - easier uploading and sharing. > > http://photos.yahoo.com/ > > > > ****************************************************************** > > ********** > > Our WebPage! Http://WWW.GeoStL.com > > Mail List Info. //www.freelists.org/cgi-bin/list?list_id=geocaching > > Mail List FAQ's: //www.freelists.org/help/questions.html > > > > ****************************************************************** > > ********** > > To unsubscribe from this list: > > send an email to geocaching-request@xxxxxxxxxxxxx with > > 'unsubscribe' in the Subject field > > > > > > > > > > > > **************************************************************************** > Our WebPage! Http://WWW.GeoStL.com > Mail List Info. //www.freelists.org/cgi-bin/list?list_id=geocaching > Mail List FAQ's: //www.freelists.org/help/questions.html > **************************************************************************** > To unsubscribe from this list: > send an email to geocaching-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field > > > > **************************************************************************** Our WebPage! Http://WWW.GeoStL.com Mail List Info. //www.freelists.org/cgi-bin/list?list_id=geocaching Mail List FAQ's: //www.freelists.org/help/questions.html **************************************************************************** To unsubscribe from this list: send an email to geocaching-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field