Bug 24545 - Default Install Hacked
Default Install Hacked
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: inetd (Show other bugs)
6.2
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Jeff Johnson
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-01-22 08:56 EST by David Willis
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-23 06:55:21 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Willis 2001-01-22 08:56:55 EST
Recently did a default install of 6.2 on an IBM 486

Only things I configured was the dns server.

Apache, sendmail, inetd, ident etc. have not been changed from the base 
install.

System was hacked by an IRC user through inetd from what I can gather.  
Have had servers running on 4.0 through 6.1 over the past 4 years.

All of the /var/log files have been deleted
/etc/logwatch deleted

user was able to create a new user account /home/t
then ftp'd a copy of BNC some kind of remote IRC Proxy Daemon which uses 
the host IP to mask the actual user on IRC!

Is there any way I can retrieve the deleted logs of what occured so that I 
can forward these on to you?

I have restored my original files from backup and disabled the ftp,telnet 
& gopher services by commenting out these in the inetd.conf file and 
restarting inetd.  Tested these remotely to ensure the services were 
disabled.

I have enabled tripwire and logwatch as well.

I have also changed all passwords on the system, my issue is this hacker 
has obviously got a good snapshot of my installed system.

Please return advice by e-mail to admin@epo-box.com
Comment 1 David Willis 2001-01-23 06:55:18 EST
Have traced the hacker to using IP 64.209.152.146 which may be a masquerade.  
As a follow up this user has been trying to login using the in.rlogind module.

Fortunately I have removed all the references to this proxy host.

Further more I have had multiple attempts to the ftp login from 217.80.165.206
Comment 2 Trond Eivind Glomsrxd 2001-01-25 13:50:06 EST
There are no known security holes in in inetd, and it has been audited. However,
other programs have had problems since the release of Red Hat Linux 6.2 and I
believe one of these have been used. Be sure to apply all errata listed on
http://www.redhat.com/errata/ - for maximum security, install up2date and run
that on a frequent basis as well as subscribe to the redhat-watch list.

Note You need to log in before you can comment on or make changes to this bug.