Re: [seul-edu] Server hacked via FTP hack... need help...

[Ryan Booz <ryanbooz@psu.edu>]

Thank you everyone again for your help.  The attributes were changed.  I 
was able to delete major stuff and shutdown all outside connections.  The 
man at the school then took it offline.  I'm going over in the morning to 
replace.

my first experience with being hacked.  not fun.  definitely want to stop 
it from happening again... as best I can.

Any opinions on which distro is "most" patched.

thanks.
ryan

At 12:53 PM 5/3/2002 -0300, you wrote:
>On Fri, May 03, 2002 at 11:01:12AM -0400, Ryan Booz wrote:
> > Although root appears to have control of the file (with FTP as
> > group now), I can't do anything with it.  Any suggestions on how I can get
> > this stuff corrected and get ssh back up and running?
>
>It is likely that the file has the "immutable" bit set, a common ploy
>to try to prevent the victim from undoing the damage.  See "man chattr".
>However, as others have pointed out, a fresh install, with a data recovery
>on top of that is probably the best way to proceed at this point.
>
>Ben
>--
>     nSLUG       http://www.nslug.ns.ca      synrg@sanctuary.nslug.ns.ca
>     Debian      http://www.debian.org       synrg@debian.org
>[ pgp key fingerprint = 7F DA 09 4B BA 2C 0D E0  1B B1 31 ED C6 A9 39 4F ]
>[ gpg key fingerprint = 395C F3A4 35D3 D247 1387  2D9E 5A94 F3CA 0B27 13C8 ]

Ryan J. Booz
Information Technology Associate
Training Services, ITS@Penn State
http://cac.psu.edu/training
224B Computer Building
University Park, PA 16802-2101
Office: 814-863-7491
Fax: 814-863-7049