[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] Server hacked via FTP hack... need help...



Thanks all... I assumed that was the ticket... not a very exciting one, but 
I kind of thought that was the deal.  Now I've got to find time to get there...

Thanks for the input!
ryan

At 09:20 AM 5/3/2002 -0600, you wrote:
>Ryan,
>
>I would reinstall and then make sure you're not running anything you don't
>want. (check inetd/xinetd)
>
>Les
>
>
>At 11:01 AM 5/3/02 -0400, you wrote:
> >Hey gang...
> >
> >I'm sorry to barge in again with a help question, but I'm stuck on this
> >one.  I've tried to look around, but I'm not exactly sure what to search
> >for... I'm obviously not searching for the right thing as I'm getting
>nowhere.
> >
> >I help a school (remotely) keep up servers I installed while I was a
> >teacher there.  One of those servers is the firewall/webserver.  I didn't
> >realize that at some point FTP was started (I was playing around with it a
> >long time ago, but thought it was shutdown).  Last week I got a call that
> >they were having trouble with the system and couldn't get out to the
> >internet or SSH into the system.  We finally got some of it back on-line,
> >enough for me to get in via secure WebMin.  It appears that someone got in
> >via FTP and messed up SSH.  Although I'm functioning as root in WebMin, I
> >can't delete some files.  The permissions were changed to "root" as owner
> >and "ftp" as group on some of these files.  One of them being SSH.  I
> >cannot see the ssh executable in some views, nor can I delete it.  Then I
> >found that there were files changed in "/etc/rc.d/init.d" with the same
> >problem. Although root appears to have control of the file (with FTP as
> >group now), I can't do anything with it.  Any suggestions on how I can get
> >this stuff corrected and get ssh back up and running?
> >
> >thank you for the time and help.  If there's a place anyone could direct me
> >instead, that's fine...
> >
> >sincerely,
> >Ryan Booz
> >
> >
> >Ryan J. Booz
> >Information Technology Associate
> >Training Services, ITS@Penn State
> >http://cac.psu.edu/training
> >224B Computer Building
> >University Park, PA 16802-2101
> >Office: 814-863-7491
> >Fax: 814-863-7049
> >
> >

Ryan J. Booz
Information Technology Associate
Training Services, ITS@Penn State
http://cac.psu.edu/training
224B Computer Building
University Park, PA 16802-2101
Office: 814-863-7491
Fax: 814-863-7049