Subject: Serious Breakin
From: Rick Dennis (rickd@alaskastyle.com)
Date: Fri Dec 21 2001 - 14:39:08 AKST
fcheck@sockeye.alaskastyle.com: warn
My webserver was just hacked into this evening and totally compromised.
It was just deployed a week ago; RedHat v. 7.0 only running ssh, httpd, dns and ftp (ProFTP - never used it before, always used ncFTPD)
Anyway, this is a heads up for anyone else out there.
Any suggestions or comments would be welcome, but please send them to rdennis@alaskapacific.edu since my email server seems to be hosed, too.
Here is the output of fcheck, alerting me to the break in, but by the time I got these messages (10 minutes) it was too late.
ADDITION: [sockeye.alaskastyle.com] /asul.tgz
Inode Permissons Size Created On
1942 -rw------- 945237 Dec 20 15:39 2001
ADDITION: [sockeye.alaskastyle.com] /qd
Inode Permissons Size Created On
1941 -rwx------ 202 Dec 20 15:37 2001
PROGRESS: validating integrity of /etc/
DELETION: [sockeye.alaskastyle.com] /asul.tgz
Inode Permissons Size Created On
1942 -rw------- 945237 Dec 20 15:39 2001
PROGRESS: validating integrity of /etc/
--
WARNING: [sockeye.alaskastyle.com] /etc/rc.d/rc.sysinit
[Sizes: 16948 - 17059, Times: Dec 09 05:42 2001 - Dec 20 15:41 2001]
WARNING: [sockeye.alaskastyle.com] /etc/rc.sysinit
[Sizes: 16948 - 17059, Times: Dec 09 05:42 2001 - Dec 20 15:41 2001]
DELETION: [sockeye.alaskastyle.com] /etc/rc.d/init.d/portmap
Inode Permissons Size Created On
12657 -rwxr-xr-x 1388 Dec 09 05:46 2001
DELETION: [sockeye.alaskastyle.com] /etc/rc.d/rc0.d/K87portmap
Inode Permissons Size Created On
12657 -rwxr-xr-x 1388 Dec 09 05:46 2001
DELETION: [sockeye.alaskastyle.com] /etc/rc.d/rc1.d/K87portmap
Inode Permissons Size Created On
12657 -rwxr-xr-x 1388 Dec 09 05:46 2001
DELETION: [sockeye.alaskastyle.com] /etc/rc.d/rc2.d/K87portmap
Inode Permissons Size Created On
12657 -rwxr-xr-x 1388 Dec 09 05:46 2001
DELETION: [sockeye.alaskastyle.com] /etc/rc.d/rc3.d/S13portmap
Inode Permissons Size Created On
12657 -rwxr-xr-x 1388 Dec 09 05:46 2001
DELETION: [sockeye.alaskastyle.com] /etc/rc.d/rc4.d/S13portmap
Inode Permissons Size Created On
12657 -rwxr-xr-x 1388 Dec 09 05:46 2001
DELETION: [sockeye.alaskastyle.com] /etc/rc.d/rc5.d/S13portmap
Inode Permissons Size Created On
12657 -rwxr-xr-x 1388 Dec 09 05:46 2001
DELETION: [sockeye.alaskastyle.com] /etc/rc.d/rc6.d/K87portmap
Inode Permissons Size Created On
12657 -rwxr-xr-x 1388 Dec 09 05:46 2001
PROGRESS: validating integrity of /bin/
--
DELETION: [sockeye.alaskastyle.com] /sbin/portmap
Inode Permissons Size Created On
12658 -rwxr-xr-x 26780 Dec 09 05:46 2001
PROGRESS: validating integrity of /usr
--
ADDITION: [sockeye.alaskastyle.com] /usr/bin/attrib
Inode Permissons Size Created On
32938 -rwxr-xr-x 7484 Dec 20 15:41 2001
ADDITION: [sockeye.alaskastyle.com] /usr/bin/init_1
Inode Permissons Size Created On
35499 -r-x------ 915 Dec 20 15:40 2001
ADDITION: [sockeye.alaskastyle.com] /usr/bin/init_2
Inode Permissons Size Created On
35500 -r-x------ 136 Dec 20 15:40 2001
ADDITION: [sockeye.alaskastyle.com] /usr/bin/wget
Inode Permissons Size Created On
35501 -rwx------ 115820 Dec 20 15:40 2001
DELETION: [sockeye.alaskastyle.com] /usr/bin/chattr
Inode Permissons Size Created On
32938 -rwxr-xr-x 7484 Dec 09 05:42 2001
PROGRESS: validating integrity of /usr/libexec
--
WARNING: [sockeye.alaskastyle.com] /usr/sbin/named
[Permissions: -rwxr-xr-x - -rwx------, Sizes: 715164 - 1833463, Times: Dec 09 05:42 2001 - Dec 20 15:40 2001]
PROGRESS: validating integrity of /usr/etc
STATUS:fcheck: Error: Baseline does not match configuration file on _usr_etc
This archive was generated by hypermail 2a23 : Fri Dec 21 2001 - 14:36:56 AKST