[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [seul-edu] Server hacked via FTP hack... need help...

To: seul-edu@seul.org
Subject: Re: [seul-edu] Server hacked via FTP hack... need help...
From: Ryan Booz <ryanbooz@psu.edu>
Date: Fri, 03 May 2002 11:39:56 -0400
Delivered-To: archiver@seul.org
Delivered-To: seul-edu-outgoing@seul.org
Delivered-To: seul-edu@seul.org
Delivery-Date: Fri, 03 May 2002 11:39:01 -0400
In-Reply-To: <3.0.6.32.20020503092043.00872b30@mail.hhs.sk.ca>
References: <5.1.0.14.2.20020503104521.01ba5360@email.psu.edu>
Reply-To: seul-edu@seul.org
Sender: owner-seul-edu@seul.org

Thanks all... I assumed that was the ticket... not a very exciting one, but 
I kind of thought that was the deal.  Now I've got to find time to get there...

Thanks for the input!
ryan

At 09:20 AM 5/3/2002 -0600, you wrote:
>Ryan,
>
>I would reinstall and then make sure you're not running anything you don't
>want. (check inetd/xinetd)
>
>Les
>
>
>At 11:01 AM 5/3/02 -0400, you wrote:
> >Hey gang...
> >
> >I'm sorry to barge in again with a help question, but I'm stuck on this
> >one.  I've tried to look around, but I'm not exactly sure what to search
> >for... I'm obviously not searching for the right thing as I'm getting
>nowhere.
> >
> >I help a school (remotely) keep up servers I installed while I was a
> >teacher there.  One of those servers is the firewall/webserver.  I didn't
> >realize that at some point FTP was started (I was playing around with it a
> >long time ago, but thought it was shutdown).  Last week I got a call that
> >they were having trouble with the system and couldn't get out to the
> >internet or SSH into the system.  We finally got some of it back on-line,
> >enough for me to get in via secure WebMin.  It appears that someone got in
> >via FTP and messed up SSH.  Although I'm functioning as root in WebMin, I
> >can't delete some files.  The permissions were changed to "root" as owner
> >and "ftp" as group on some of these files.  One of them being SSH.  I
> >cannot see the ssh executable in some views, nor can I delete it.  Then I
> >found that there were files changed in "/etc/rc.d/init.d" with the same
> >problem. Although root appears to have control of the file (with FTP as
> >group now), I can't do anything with it.  Any suggestions on how I can get
> >this stuff corrected and get ssh back up and running?
> >
> >thank you for the time and help.  If there's a place anyone could direct me
> >instead, that's fine...
> >
> >sincerely,
> >Ryan Booz
> >
> >
> >Ryan J. Booz
> >Information Technology Associate
> >Training Services, ITS@Penn State
> >http://cac.psu.edu/training
> >224B Computer Building
> >University Park, PA 16802-2101
> >Office: 814-863-7491
> >Fax: 814-863-7049
> >
> >

Ryan J. Booz
Information Technology Associate
Training Services, ITS@Penn State
http://cac.psu.edu/training
224B Computer Building
University Park, PA 16802-2101
Office: 814-863-7491
Fax: 814-863-7049

References:
- [seul-edu] Server hacked via FTP hack... need help...
  - From: Ryan Booz <ryanbooz@psu.edu>
- Re: [seul-edu] Server hacked via FTP hack... need help...
  - From: Les Richardson <richl@mail.tfsd.sk.ca>

Prev by Date: Re: [seul-edu] Legal questions [was Re: They changed the site! (was Re: [OS:N:] Donated PCs)
Next by Date: Re: [seul-edu] Legal questions [was Re: They changed the site! ( was Re: [OS:N:] Donated PCs)
Prev by thread: Re: [seul-edu] Server hacked via FTP hack... need help...
Next by thread: Re: [seul-edu] Server hacked via FTP hack... need help...
Index(es):
- Date
- Thread