[GeoStL] Re: Rooted?
- From: "Chris Binder" <cpbinder@xxxxxxxxxxx>
- To: <geocaching@xxxxxxxxxxxxx>
- Date: Tue, 23 Dec 2003 10:01:04 -0600
-
Everything looks perfectly fine, although I haven't been there in awhile.
How did you find out it was rooted? Wouldn't a regular hacker deface the
site more?
~Chris
----- Original Message -----
From: "Jim Bensman" <jbensman1@xxxxxxxxxxx>
To: <geocaching@xxxxxxxxxxxxx>
Sent: Tuesday, December 23, 2003 9:49 AM
Subject: [GeoStL] Re: Rooted?
> -
> What are you talking about? geostl.com looks fine to me.
>
> > -----Original Message-----
> > From: geocaching-bounce@xxxxxxxxxxxxx
> > [mailto:geocaching-bounce@xxxxxxxxxxxxx]On Behalf Of Andy Sims
> > Sent: Tuesday, December 23, 2003 7:44 AM
> > To: geocaching@xxxxxxxxxxxxx
> > Subject: [GeoStL] Re: Rooted?
> >
> >
> > -
> > Well the defaced website says it has been rooted,
> > which means that the intruders have gained root access
> > to the machine. Root is the master user on a unix
> > machine. If this is the case then at the very least,
> > passwords need to be changed and files restored. It
> > could just be BS too. Maybe just the web server
> > software (apache?) was vulnerable, and maybe the
> > damage was just limited to that, but I don't know
> > enough about the machine to say what is what. They
> > busted in somehow. It was probably an automated
> > attack, some sort of worm.
> >
> > Usually when something like this happens a clean
> > install of the OS with the most recent software is the
> > best answer. It not be necesary. Id try
> > http://www.chkrootkit.org/ first and see if it can be
> > cleaned up. The point of entry needs to be identified
> > as well. If the box is hardened, then it's probably
> > the web server software.
> >
> > I port scan of the machine shows:
> >
> > Starting nmap 3.30 ( http://www.insecure.org/nmap/ )
> > at 2003-12-23 07:36 CST
> > Interesting ports on 66.78.41.199:
> > (The 1628 ports scanned but not shown below are in
> > state: closed)
> > Port State Service
> > 1/tcp open tcpmux
> > 21/tcp open ftp
> > 22/tcp open ssh
> > 25/tcp open smtp
> > 32/tcp open unknown
> > 53/tcp open domain
> > 80/tcp open http
> > 110/tcp open pop-3
> > 111/tcp open sunrpc
> > 143/tcp open imap2
> > 443/tcp open https
> > 465/tcp open smtps
> > 993/tcp open imaps
> > 995/tcp open pop3s
> > 3306/tcp open mysql
> > 6666/tcp open irc-serv
> > Device type: general purpose
> > Running: Linux 2.4.X
> > OS details: Linux 2.4.20 - 2.4.21 w/grsecurity.org
> > patch
> > Uptime 22.518 days (since Sun Nov 30 19:10:16 2003)
> >
> > Nmap run completed -- 1 IP address (1 host up) scanned
> > in 20.443 seconds
> > root@yutty:/home/andy#
> >
> > Port 111 should really be blocked on a machine out in
> > the wild, and if mysql does nothing but serve data to
> > (apache) then it should be blocked to the outside
> > world as well.
> >
> > imap has serious security issues if it's not up to
> > date.
> >
> > apache is allways being updated because of security
> > issues.
> >
> > ftp is kind of redundant with ssh running seeing as
> > how putty supports sftp nowdays.
> >
> > I could go on and on.
> >
> > I'm not going to poke at the box any more than this
> > port scan unless someone tells me to.
> >
> > Merry Christmas to us all.
> >
> > Andy (Yutty)
> >
> > --- Dave <d-a-v-e@xxxxxxxxxx> wrote:
> > > -
> > > What does it mean to be rooted?
> > >
> > > Do we simply need to replace files or change all the
> > > passwords?
> > >
> > > Dave
> > >
> > > Andy Sims wrote:
> > >
> > > > -
> > > >
> > > > Well I suppose it would considering the list is
> > > hosted
> > > > by freelists.org
> > > >
> > > > Duh, should have thought of that.
> > > >
> > > > Glen or whoever keeps the SLAGA site up, if you
> > > could
> > > > use some help cleaning up this mess let me know.
> > > >
> > > > What a bummer,
> > > >
> > > > Andy (Yutty)
> > > >
> > > > --- Andy Sims <yutty_666@xxxxxxxxx> wrote:
> > > > > -
> > > > >
> > > > > I just tried to visit the home page and it looks
> > > > > like
> > > > > the box has been cracked. I'm sending this to
> > > see
> > > > > if
> > > > > the list is still working.
> > > > >
> > > > > __________________________________
> > > > > Do you Yahoo!?
> > > > > New Yahoo! Photos - easier uploading and
> > > sharing.
> > > > > http://photos.yahoo.com/
> > > > >
> > > > >
> > > >
> > >
> > ******************************************************************
> > **********
> > > > > Our WebPage! Http://WWW.GeoStL.com
> > > > > Mail List Info.
> > > > >
> > > >
> > >
> > //www.freelists.org/cgi-bin/list?list_id=geocaching
> > > > > Mail List FAQ's:
> > > > > //www.freelists.org/help/questions.html
> > > > >
> > > > >
> > > >
> > >
> > ******************************************************************
> > **********
> > > > > To unsubscribe from this list:
> > > > > send an email to
> > > geocaching-request@xxxxxxxxxxxxx
> > > > > with 'unsubscribe' in the Subject field
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > > __________________________________
> > > > Do you Yahoo!?
> > > > New Yahoo! Photos - easier uploading and sharing.
> > > > http://photos.yahoo.com/
> > > >
> > >
> > ******************************************************************
> > **********
> > > > Our WebPage! Http://WWW.GeoStL.com
> > > > Mail List Info.
> > >
> > //www.freelists.org/cgi-bin/list?list_id=geocaching
> > > > Mail List FAQ's:
> > > //www.freelists.org/help/questions.html
> > > >
> > >
> > ******************************************************************
> > **********
> > > > To unsubscribe from this list:
> > > > send an email to geocaching-request@xxxxxxxxxxxxx
> > > with 'unsubscribe' in the Subject field
> > >
> > >
> > >
> > ******************************************************************
> > **********
> > > Our WebPage! Http://WWW.GeoStL.com
> > > Mail List Info.
> > >
> > //www.freelists.org/cgi-bin/list?list_id=geocaching
> > > Mail List FAQ's:
> > > //www.freelists.org/help/questions.html
> > >
> > >
> > ******************************************************************
> > **********
> > > To unsubscribe from this list:
> > > send an email to geocaching-request@xxxxxxxxxxxxx
> > > with 'unsubscribe' in the Subject field
> > >
> > >
> > >
> > >
> >
> >
> > __________________________________
> > Do you Yahoo!?
> > New Yahoo! Photos - easier uploading and sharing.
> > http://photos.yahoo.com/
> >
> > ******************************************************************
> > **********
> > Our WebPage! Http://WWW.GeoStL.com
> > Mail List Info.
//www.freelists.org/cgi-bin/list?list_id=geocaching
> > Mail List FAQ's: //www.freelists.org/help/questions.html
> >
> > ******************************************************************
> > **********
> > To unsubscribe from this list:
> > send an email to geocaching-request@xxxxxxxxxxxxx with
> > 'unsubscribe' in the Subject field
> >
> >
> >
> >
> >
>
>
****************************************************************************
> Our WebPage! Http://WWW.GeoStL.com
> Mail List Info. //www.freelists.org/cgi-bin/list?list_id=geocaching
> Mail List FAQ's: //www.freelists.org/help/questions.html
>
****************************************************************************
> To unsubscribe from this list:
> send an email to geocaching-request@xxxxxxxxxxxxx with 'unsubscribe' in
the Subject field
>
>
>
>
****************************************************************************
Our WebPage! Http://WWW.GeoStL.com
Mail List Info. //www.freelists.org/cgi-bin/list?list_id=geocaching
Mail List FAQ's: //www.freelists.org/help/questions.html
****************************************************************************
To unsubscribe from this list:
send an email to geocaching-request@xxxxxxxxxxxxx with 'unsubscribe' in the
Subject field
Other related posts:
