Red Hat Bugzilla – Bug 24545
Default Install Hacked
Last modified: 2008-05-01 11:37:59 EDT
Recently did a default install of 6.2 on an IBM 486
Only things I configured was the dns server.
Apache, sendmail, inetd, ident etc. have not been changed from the base
System was hacked by an IRC user through inetd from what I can gather.
Have had servers running on 4.0 through 6.1 over the past 4 years.
All of the /var/log files have been deleted
user was able to create a new user account /home/t
then ftp'd a copy of BNC some kind of remote IRC Proxy Daemon which uses
the host IP to mask the actual user on IRC!
Is there any way I can retrieve the deleted logs of what occured so that I
can forward these on to you?
I have restored my original files from backup and disabled the ftp,telnet
& gopher services by commenting out these in the inetd.conf file and
restarting inetd. Tested these remotely to ensure the services were
I have enabled tripwire and logwatch as well.
I have also changed all passwords on the system, my issue is this hacker
has obviously got a good snapshot of my installed system.
Please return advice by e-mail to email@example.com
Have traced the hacker to using IP 22.214.171.124 which may be a masquerade.
As a follow up this user has been trying to login using the in.rlogind module.
Fortunately I have removed all the references to this proxy host.
Further more I have had multiple attempts to the ftp login from 126.96.36.199
There are no known security holes in in inetd, and it has been audited. However,
other programs have had problems since the release of Red Hat Linux 6.2 and I
believe one of these have been used. Be sure to apply all errata listed on
http://www.redhat.com/errata/ - for maximum security, install up2date and run
that on a frequent basis as well as subscribe to the redhat-watch list.