Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NFR Wizards> 1999

NFR Wizards Archive: RE: Hacked

RE: Hacked

dreamwvr (dreamwvrdreamwvr.com)
Mon, 01 Mar 1999 21:04:08 -0700

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Bluefish [ home]: "RE: Hacked"
Previous message: arkeltex.ru: "RE: Firewall comparison"
In reply to: John McDonald: "RE: Firewall comparison"

hi,
  also check your 'tcp_wrappers'
                                                                Regards,
                                                                dreamwvrdreamwvr.com
At 02:47 PM 2/28/99 -0500, jonathanleto.net wrote:
>You didn't get hacked, you got script kiddied.
>Your running redhat right? The 2 most infamous redhat exploits are named and
>imap. There are scanners that search for just these 2 things, and they still
>find plenty.
>First of all, NEVER use any type of default. Its defeating the purpose of
>linux, customize it. Make it do what you want to do. If this is just a
home box
>that you want to be able to get to, disable everything and install sshd.
Telnet
>is not secure. Make sure you get a brand spanking new ftp daemon, a couple
>weeks ago a big exploit was found in many of them. Or just be really 3leet
and
>pipe ftp though ssh.
>
>On 26-Feb-99 Steve wrote:
>> Hacked this last weekend or sometime.
>>
>> What I'm running:
>>
>> Linux 2.0.35 with ipfwadm, all defaults, added masq for 192.168.1.0 to
>> 0.0.0.0 to feed my home LAN to ppp through a little 56.6k dial up.
>>
>> How I found out:
>>
>> Tried to log in telnet from an inside machine, wouldn't allow me to log in
>> under any user name I had configured - root, col or steve. Finally
rebooted
>> (Windows habit) and noticed that syslog couldn't write to any of the log
>> files and still couldn't log in.
>>
>> Long story short:
>>
>> Got the machine back up with a new hard drive (install fresh on the hacked
>> drive???!!! Hell no!!! It's evidence and possible clues as to
>> who/what/when/how - the whole deal.
>>
>> So I mount the drive and find a message in my root directory:
>>
>> hehe.idiot.fix.your.imap.and.feel.glad.i.didnt.rm-rf.everything
>>
>> imap, huh? I knew I was running lots of services - it was a hacker's
dream,
>> most likely. But this was at home, and it was quite sloppy. But it did
its
>> purpose - my LAN *seems* okay - no evidence of any tampering, though it was
>> quite possible - again, from sloppiness. Anyway, I have a real,
>> honest-to-goodness hacked drive over here - something live to study and
>> learn from.
>>
>> BTW - first thing I did was to check for messages, and, just as the
messages
>> on boot-up said, the log directory is gone. First thing this weekend - I
>> will buy a computer for logging - do that transmission trick with the
>> wiring - wire a cable only with the what - 1 and 2 wires, so it would be
>> physically impossible for them to receive any feedback on the connection to
>> try to delete those files on the other machine. (But I may wait until next
>> week - it's First Saturday down here in Dallas).
>>
>> Besides that, I'll be keeping that hard drive off the network, except to
>> look at it - I don't want anything to happen to it! I just may do a dd get
>> a backup while I'm at it.
>>
>> I'm writing to share my experience, get some feedback and learn. I'd love
>> to hear from anyone with ideas on what to look for on that drive, and
>> anything else that comes to mind.
>>
>> Finally, am I ashamed to be writing this? No way!!! I love this! It's
all
>> just a game, and I love to play . . .
>>
>
>
>--] jonathanleto.net [--
>--] 28-Feb-99 14:39:45[--
>
>
>
Reuters, London, February 29, 1998:
Scientists have announced discovering a meteorite which will strike the
earth in March, 2028. Millions of UNIX coders expressed relief for being
spared the UNIX epoch "crisis" of 2038.
_______________________________________________________________________

DREAMWVR.COM - TOTAL WEB INTEGRATION, DEVELOPMENT, DESIGN SERVICES.
Featuring Website Development and Web Strategies of a TOP Developer
New Look and Feel... Coming to a Browser near you..:)
<http://www.dreamwvr.com/services/MAX_SEC.html><-- Road Improvements
DREAMWVR.COM - The Console of Many... 24 X 7 Evolution Internet
<http://www.dreamwvr.com/dynamicduo.html> <mailto:dreamwvrdreamwvr.com>
"As Unique as the Company You Keep." "===0 PGP Key Available
________________________________________________________________________

Next message: Bluefish [ home]: "RE: Hacked"
Previous message: arkeltex.ru: "RE: Firewall comparison"
In reply to: John McDonald: "RE: Firewall comparison"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:18:15 CDT