Bug 24545 - Default Install Hacked
Summary: Default Install Hacked
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: inetd   
(Show other bugs)
Version: 6.2
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Jeff Johnson
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2001-01-22 13:56 UTC by David Willis
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-01-23 11:55:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description David Willis 2001-01-22 13:56:55 UTC
Recently did a default install of 6.2 on an IBM 486

Only things I configured was the dns server.

Apache, sendmail, inetd, ident etc. have not been changed from the base 

System was hacked by an IRC user through inetd from what I can gather.  
Have had servers running on 4.0 through 6.1 over the past 4 years.

All of the /var/log files have been deleted
/etc/logwatch deleted

user was able to create a new user account /home/t
then ftp'd a copy of BNC some kind of remote IRC Proxy Daemon which uses 
the host IP to mask the actual user on IRC!

Is there any way I can retrieve the deleted logs of what occured so that I 
can forward these on to you?

I have restored my original files from backup and disabled the ftp,telnet 
& gopher services by commenting out these in the inetd.conf file and 
restarting inetd.  Tested these remotely to ensure the services were 

I have enabled tripwire and logwatch as well.

I have also changed all passwords on the system, my issue is this hacker 
has obviously got a good snapshot of my installed system.

Please return advice by e-mail to admin@epo-box.com

Comment 1 David Willis 2001-01-23 11:55:18 UTC
Have traced the hacker to using IP which may be a masquerade.  
As a follow up this user has been trying to login using the in.rlogind module.

Fortunately I have removed all the references to this proxy host.

Further more I have had multiple attempts to the ftp login from

Comment 2 Trond Eivind Glomsrxd 2001-01-25 18:50:06 UTC
There are no known security holes in in inetd, and it has been audited. However,
other programs have had problems since the release of Red Hat Linux 6.2 and I
believe one of these have been used. Be sure to apply all errata listed on
http://www.redhat.com/errata/ - for maximum security, install up2date and run
that on a frequent basis as well as subscribe to the redhat-watch list.

Note You need to log in before you can comment on or make changes to this bug.