Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 24545

Summary: Default Install Hacked
Product: [Retired] Red Hat Linux Reporter: David Willis <willdj>
Component: inetdAssignee: Jeff Johnson <jbj>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: jarno.huuskonen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-01-23 11:55:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Willis 2001-01-22 13:56:55 UTC 
Recently did a default install of 6.2 on an IBM 486

Only things I configured was the dns server.

Apache, sendmail, inetd, ident etc. have not been changed from the base 
install.

System was hacked by an IRC user through inetd from what I can gather.  
Have had servers running on 4.0 through 6.1 over the past 4 years.

All of the /var/log files have been deleted
/etc/logwatch deleted

user was able to create a new user account /home/t
then ftp'd a copy of BNC some kind of remote IRC Proxy Daemon which uses 
the host IP to mask the actual user on IRC!

Is there any way I can retrieve the deleted logs of what occured so that I 
can forward these on to you?

I have restored my original files from backup and disabled the ftp,telnet 
& gopher services by commenting out these in the inetd.conf file and 
restarting inetd.  Tested these remotely to ensure the services were 
disabled.

I have enabled tripwire and logwatch as well.

I have also changed all passwords on the system, my issue is this hacker 
has obviously got a good snapshot of my installed system.

Please return advice by e-mail to admin
Comment 1 David Willis 2001-01-23 11:55:18 UTC 
Have traced the hacker to using IP 64.209.152.146 which may be a masquerade.  
As a follow up this user has been trying to login using the in.rlogind module.

Fortunately I have removed all the references to this proxy host.

Further more I have had multiple attempts to the ftp login from 217.80.165.206
Comment 2 Trond Eivind Glomsrxd 2001-01-25 18:50:06 UTC 
There are no known security holes in in inetd, and it has been audited. However,
other programs have had problems since the release of Red Hat Linux 6.2 and I
believe one of these have been used. Be sure to apply all errata listed on
http://www.redhat.com/errata/ - for maximum security, install up2date and run
that on a frequent basis as well as subscribe to the redhat-watch list.