[NCLUG] I was hacked!

Matt Pujol mattp at lsil.com
Thu Dec 28 14:24:08 MST 2000


Hi,

I posted a couple of weeks ago asking about enabling telnet.  Well, I
think it, or ftp got me hacked into over the weekend.  Somebody gained
access, created two user accounts and ended uploading and compiling the
source for a port sniffer/hacker program in "/root/..    /scan/".
Pretty tricky, but they left footprints in the .bash_history files.
They also tried to email my O/S version back to somebody, but the mail
bounced (I have a bogus domain name for the lab) and I got an
undeliverable mail message.

Since I found this out and shut down the services, I've been getting
like 3 or 4 login attempts a day from other Redhat 6.2 installs.  I'm
running the standard 6.2 workstation install, the telnet and ftp servers
are off the distribution.

Luckily, the hack was on one of my home lab machines.  I had just set it
up for 1394-Linux driver stuff only, so no real work was compromised,
just my ego.  If anyone is interested in seeing how they did it (I saved
most of the logs and the bash_historys) I can post the logs and source
on the reflector.

I guess the moral of the story is "Firewalls are your friend".

Best Regards,

Matt

--

--
/***********************
Matt Pujol
Product Marketing Manager
1394 and USB CoreWare Technologies

LSI Logic
2001 Danfield Court
Fort Collins, Co 80525
970-206-5816
matt.pujol at lsil.com
***********************/





More information about the NCLUG mailing list