Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Been Hacked

Status
Not open for further replies.
sarm

sarm

Programmer
Aug 13, 2001
77
US
I've been hacked

Here's what they did

ftp
tar -x2vf bnc2.4.4.tar.gz
cd bnc2.4.4
./configure
make
ls
./bcn
irc
BitchX

Is there anyway to recover besides reloading. Obviously whomever simply was able to gain acces via ftp. What needs to be done to tighten ftp access?

Thanks
 
Sort by date Sort by votes
Hi,





I think this is just a way to hide your real origin IP when using IRC - a kind of proxy if you like. Its even mentioned in the IRC howto -->




However, even if it is so innocuous and only masquerading as your box, there must be a risk that something else will be done of a more serious nature. So, yes you'd have to tighten up on the ftp side and any other servers you have exposed to the internet. Presumably you are running an iptables/ipchains firewall ? Also, there have certainly been a few problems with wu-ftpd (e.g. so I'd grab the latest rpms and maybe consider changing to something like vsftpd or proftpd.





Hope this helps
 
Upvote 0 Downvote
Hi ifincham,

Yes, I will probably grab the latest rpms even though there's contraversy over wu-ftpd 2.6.2 already. I should have ftp disabled when not in use as well for extra security huh. I understand the ftp version that shipped with rh7.1 is vulnerable to the bnc. The program via ftp packet storms your server until it gains root access by buffer overflow and then does as you mention in your reply about aliasing your ip for irc.
I guess it's a good thing in a way that this happened. Now I can go off and patch another security hole. The intruder may not be so fortunate the next time.

Take care..



 
Upvote 0 Downvote
First of all, there is no way for you to know that is *ALL* they did. If they were able to root your box, they can clean log files, and otherwise hide their tracks...
I would reinstall and then reload the data from tape (you do backup your box right<G>)

---
John Hoke<br>
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

kzn
  • Locked
  • Question
My Apache webserver Hacked
Replies
2
Views
71
Noway2
Noway2
Crundy
  • Locked
  • Question
Hacked server? 2
Replies
10
Views
125
RhythmAce
RhythmAce
barbour6599
  • Locked
  • Question
Linux server being hacked
Replies
12
Views
91
wybnormal
wybnormal
weifan
  • Locked
  • Question
Was my server hacked with makewhatis?
Replies
2
Views
42
plamb
plamb
imryn
  • Locked
  • Question
My Apache was hacked
Replies
6
Views
54
imryn
imryn

Part and Inventory Search

Sponsor

Back
Top