LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: Andrew Gosling <gossie@pcpro.net.au>
To : geoff <gstephens@email.com>
<linuxsa@linuxsa.org.au>
Date: Sun, 15 Apr 2001 21:08:27 +0930
Re: problem with login to redhat 6.2
This is a multi-part message in MIME format.
------=_NextPart_000_000C_01C0C5F0.3774FA90
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I hate to be the one to give you bad news, but almost without doubt =
you've been hacked.
You will be able to get in in single user mode, from there have a look =
at your inetd.conf, I will bet that there is a really stange entry at =
the end and if you telnet to the box with those setting you will get a =
root prompt.=20
How did they get in, my guess is wuftp which you haven't updates and =
haven't disabled. As well your using telnet, EVIL.
As you will probably have to start from scratch, cause you can never =
trust a compromised box, get Redhat 7.0 and once installed disable =
anything you don't need, nmap it, make sure every port that isn't =
needn't is closed, run every update that's out there and only ever ssh =
to the thing.
It's a hard lesson.
Regards
Andrew
----- Original Message -----=20
From: geoff=20
To: linuxsa@linuxsa.org.au=20
Sent: Saturday, April 14, 2001 9:34 PM
Subject: problem with login to redhat 6.2
connect through telnet and it says redhat 6.1 blah blah blah
doesnt ask username or password and just sits there
when connect locally it asks for username buit sits there afterwards =
and doesnt ask for password
happened after standard reset
anyone with any ideas?
cheers geoff
------=_NextPart_000_000C_01C0C5F0.3774FA90
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4611.1300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I hate to be the one to give you bad =
news, but=20
almost without doubt you've been hacked.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>You will be able to get in in single =
user mode,=20
from there have a look at your inetd.conf, I will bet that there is a =
really=20
stange entry at the end and if you telnet to the box with those setting =
you will=20
get a root prompt. </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>How did they get in, my guess is wuftp =
which you=20
haven't updates and haven't disabled. As well your using telnet,=20
EVIL.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>As you will probably have to start from =
scratch,=20
cause you can never trust a compromised box, get Redhat 7.0 and once =
installed=20
disable anything you don't need, nmap it, make sure every port that =
isn't=20
needn't is closed, run every update that's out there and only ever =
ssh to=20
the thing.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>It's a hard lesson.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Regards</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Andrew</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dgstephens@email.com =
href=3D"mailto:gstephens@email.com">geoff</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dlinuxsa@linuxsa.org.au=20
href=3D"mailto:linuxsa@linuxsa.org.au">linuxsa@linuxsa.org.au</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Saturday, April 14, 2001 =
9:34=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> problem with login to =
redhat=20
6.2</DIV>
<DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2>connect through telnet and it says =
redhat 6.1=20
blah blah blah</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>doesnt ask username or password and =
just sits=20
there</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>when connect locally it asks for =
username buit=20
sits there afterwards and doesnt ask for password</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>happened after standard =
reset</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>anyone with any ideas?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>cheers=20
geoff</FONT></DIV></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_000C_01C0C5F0.3774FA90--
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page