[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[seul-edu] Server hacked via FTP hack... need help...



Hey gang...

I'm sorry to barge in again with a help question, but I'm stuck on this 
one.  I've tried to look around, but I'm not exactly sure what to search 
for... I'm obviously not searching for the right thing as I'm getting nowhere.

I help a school (remotely) keep up servers I installed while I was a 
teacher there.  One of those servers is the firewall/webserver.  I didn't 
realize that at some point FTP was started (I was playing around with it a 
long time ago, but thought it was shutdown).  Last week I got a call that 
they were having trouble with the system and couldn't get out to the 
internet or SSH into the system.  We finally got some of it back on-line, 
enough for me to get in via secure WebMin.  It appears that someone got in 
via FTP and messed up SSH.  Although I'm functioning as root in WebMin, I 
can't delete some files.  The permissions were changed to "root" as owner 
and "ftp" as group on some of these files.  One of them being SSH.  I 
cannot see the ssh executable in some views, nor can I delete it.  Then I 
found that there were files changed in "/etc/rc.d/init.d" with the same 
problem. Although root appears to have control of the file (with FTP as 
group now), I can't do anything with it.  Any suggestions on how I can get 
this stuff corrected and get ssh back up and running?

thank you for the time and help.  If there's a place anyone could direct me 
instead, that's fine...

sincerely,
Ryan Booz


Ryan J. Booz
Information Technology Associate
Training Services, ITS@Penn State
http://cac.psu.edu/training
224B Computer Building
University Park, PA 16802-2101
Office: 814-863-7491
Fax: 814-863-7049