[lug] Fun with being hacked

Greg Horne jeerygh at hotmail.com
Tue Aug 14 12:53:39 MDT 2001 

Speaking of ssh and security, does anybody know where I can find really good 
information (multiple sources would be nice) pertaining to setting up, 
securing, and administrating ssh?  BTW I ask this because I want to stop 
using telnet.

Greg

>From: HEROLD <herold at cslr.Colorado.EDU>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: [lug] Fun with being hacked
>Date: Tue, 14 Aug 2001 09:55:00 -0600 (MDT)
>
>So, I noticed an interesting message in my messages file this morning:
>
>Aug 12 04:43:14 pharynx sshd2[812]: connection from "161.184.79.143"
>Aug 12 04:43:20 pharynx sshd2[11628]: User gdm's local password accepted.
>Aug 12 04:43:20 pharynx sshd2[11628]: Password authentication for user gdm
>accepted.
>Aug 12 04:43:20 pharynx sshd2[11628]: User gdm, coming from
>s161-184-79-143.ab.hsia.telus.net, authenticated.
>
>Apparently this has been happening since around the 28th of July.
>
>I also found a package called "autotelnet" installed in
>/tmp/.../autotelnet, which is a hack designed to break into telnetd using
>a buffer overflow (gives root shell of course).
>
>Of course, my next actions will be to reformat and reinstall RH7.1, and,
>once again, apply every RPM in existence.  The problem is that I am not
>running telnetd, and in fact turned off all the services except sshd
>(openssh). I
>did a check on the telnet port and had the connection refused.  It seems
>to me that the autotelnet was installed afterwards, to probe and attack
>other machines.  I do not, however, have any idea of how they got in in
>the first place.
>
>Does gdm normally have a passwd?  there is a gdm listed in the user
>accounts, but I thought that was just so gnome could do it's thing?
>Should I password it next time?
>
>In general, since RH7.1 does not install the xwindows linuxconf, what's
>a quick way to find out what services are running on a machine?
>
>Thanks,
>Keith
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

More information about the LUG mailing list