Re: [seul-edu] Server hacked via FTP hack... need help...

[Les Richardson <richl@mail.tfsd.sk.ca>]

Ryan,

I would reinstall and then make sure you're not running anything you don't
want. (check inetd/xinetd)

Les


At 11:01 AM 5/3/02 -0400, you wrote:
>Hey gang...
>
>I'm sorry to barge in again with a help question, but I'm stuck on this 
>one.  I've tried to look around, but I'm not exactly sure what to search 
>for... I'm obviously not searching for the right thing as I'm getting
nowhere.
>
>I help a school (remotely) keep up servers I installed while I was a 
>teacher there.  One of those servers is the firewall/webserver.  I didn't 
>realize that at some point FTP was started (I was playing around with it a 
>long time ago, but thought it was shutdown).  Last week I got a call that 
>they were having trouble with the system and couldn't get out to the 
>internet or SSH into the system.  We finally got some of it back on-line, 
>enough for me to get in via secure WebMin.  It appears that someone got in 
>via FTP and messed up SSH.  Although I'm functioning as root in WebMin, I 
>can't delete some files.  The permissions were changed to "root" as owner 
>and "ftp" as group on some of these files.  One of them being SSH.  I 
>cannot see the ssh executable in some views, nor can I delete it.  Then I 
>found that there were files changed in "/etc/rc.d/init.d" with the same 
>problem. Although root appears to have control of the file (with FTP as 
>group now), I can't do anything with it.  Any suggestions on how I can get 
>this stuff corrected and get ssh back up and running?
>
>thank you for the time and help.  If there's a place anyone could direct me 
>instead, that's fine...
>
>sincerely,
>Ryan Booz
>
>
>Ryan J. Booz
>Information Technology Associate
>Training Services, ITS@Penn State
>http://cac.psu.edu/training
>224B Computer Building
>University Park, PA 16802-2101
>Office: 814-863-7491
>Fax: 814-863-7049
>
>