[olug] compromised again
mesc
mescie at home.com
Sun Oct 1 15:23:00 UTC 2000
I just realized I have bigger problems than my previous post x server
permisions.A few days ago my logcheck kept e-mailing me about an ip that
was trying to connect to port 25 but the connection was refused.This
went on for 4 hours.I dropped the ip into hosts.deny and thought that
was the end of it.Now I realize I should have disconnected from the net
after this went on for an hour or 2,a hard lesson learned.He/she must
have got in because I found this script in my cron.daily..#!/bin/sh
/sbin/chkconfig innd && su - news -c /usr/bin/nntpsend........it was
executable so I chmoded it to 040 so I could read it and paste it to
you.I'm no programmer but with su and send in it it doesn't look
good.Maybe one of you could tell me what it does.I can't paste the last
line logcheck e-mailed me with his/her ip in it because I can't get
into x and none of my console e-mail progs were configured so none of
them have the message but it went something like this.....his
ip>xxx.xxx.xxx.xxx relay my_isps_domain_name.com.Does this ring a bell
to any of you as far as to how he/she may have got in?I'm going to wipe
my o/s clean (again....argh) but I sure would like to know how he/she
got in so I can plug that hole:)I have port 25 open so my news server
can connect to it but I guess there's no way around that.
Thank you,Gary Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list