On Wed, 16 May 2001, Lisa Bogar wrote: > > I received this message from a consultant in town on Friday. I work at > the University and he was looking for some suggestions. Thought someone > might be able to shed some light on how the person got into the box and > also how one might monitor this compromise. I have already told him to > reinstall. > <snip> > > Our system is a Red Hat Linux v6.2 kernel version 2.2.14-5.0. It was a > fairly standard installation with HTTP, FTP, SMTP, IMAP, and NNTP, and other > standard INET services. The system was placed behind a FlowPoint FP2200-22 > SDSL router/firewall with NAT. The ports allowed through the router were 21 > (FTP), 23 (Telnet), 25 (SMTP), 53 (DNS), 80 (HTTP), 110 (POP3) and 143 > (IMAP). Internally, we use Samba for file and printer sharing. Unless it was patched, there were root holes in both your FTP and DNS server software. There are very easy to use explots for both of those. Ryan
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 12:32:49 PDT