[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] Server hacked via FTP hack... need help...



At 01:34 PM 5/3/02 -0400, you wrote:
>Thank you everyone again for your help.  The attributes were changed.  I 
>was able to delete major stuff and shutdown all outside connections.  The 
>man at the school then took it offline.  I'm going over in the morning to 
>replace.
>
>my first experience with being hacked.  not fun.  definitely want to stop 
>it from happening again... as best I can.
>
>Any opinions on which distro is "most" patched.

None. Use your favourite one, and make sure you shut off whatever you don't
want. Keep track of security issues surrounds whatever apps you _are_
exposing to the world.

Les Richardson



>
>thanks.
>ryan
>
>At 12:53 PM 5/3/2002 -0300, you wrote:
>>On Fri, May 03, 2002 at 11:01:12AM -0400, Ryan Booz wrote:
>> > Although root appears to have control of the file (with FTP as
>> > group now), I can't do anything with it.  Any suggestions on how I can
get
>> > this stuff corrected and get ssh back up and running?
>>
>>It is likely that the file has the "immutable" bit set, a common ploy
>>to try to prevent the victim from undoing the damage.  See "man chattr".
>>However, as others have pointed out, a fresh install, with a data recovery
>>on top of that is probably the best way to proceed at this point.
>>
>>Ben
>>--
>>     nSLUG       http://www.nslug.ns.ca      synrg@sanctuary.nslug.ns.ca
>>     Debian      http://www.debian.org       synrg@debian.org
>>[ pgp key fingerprint = 7F DA 09 4B BA 2C 0D E0  1B B1 31 ED C6 A9 39 4F ]
>>[ gpg key fingerprint = 395C F3A4 35D3 D247 1387  2D9E 5A94 F3CA 0B27 13C8 ]
>
>Ryan J. Booz
>Information Technology Associate
>Training Services, ITS@Penn State
>http://cac.psu.edu/training
>224B Computer Building
>University Park, PA 16802-2101
>Office: 814-863-7491
>Fax: 814-863-7049
>
>