Recently did a default install of 6.2 on an IBM 486 Only things I configured was the dns server. Apache, sendmail, inetd, ident etc. have not been changed from the base install. System was hacked by an IRC user through inetd from what I can gather. Have had servers running on 4.0 through 6.1 over the past 4 years. All of the /var/log files have been deleted /etc/logwatch deleted user was able to create a new user account /home/t then ftp'd a copy of BNC some kind of remote IRC Proxy Daemon which uses the host IP to mask the actual user on IRC! Is there any way I can retrieve the deleted logs of what occured so that I can forward these on to you? I have restored my original files from backup and disabled the ftp,telnet & gopher services by commenting out these in the inetd.conf file and restarting inetd. Tested these remotely to ensure the services were disabled. I have enabled tripwire and logwatch as well. I have also changed all passwords on the system, my issue is this hacker has obviously got a good snapshot of my installed system. Please return advice by e-mail to admin
Have traced the hacker to using IP 64.209.152.146 which may be a masquerade. As a follow up this user has been trying to login using the in.rlogind module. Fortunately I have removed all the references to this proxy host. Further more I have had multiple attempts to the ftp login from 217.80.165.206
There are no known security holes in in inetd, and it has been audited. However, other programs have had problems since the release of Red Hat Linux 6.2 and I believe one of these have been used. Be sure to apply all errata listed on http://www.redhat.com/errata/ - for maximum security, install up2date and run that on a frequent basis as well as subscribe to the redhat-watch list.