[Lincs] lug.org.uk has been compromised! My 2p

[Andy Davidson]

On 22 Nov 2004, at 15:34, Chris Marr wrote:

> How do you get a backdoor installed (whatever software it came with) 
> in the first place? I'd have thought that lug admins would 1) get the 
> software from a reputable source (ie, download from apache) to have 
> some level of culpability, or 2) download source, check it for issues 
> (ie backdoors) and then compile and test it.

Sounds more like one of the lugmasters installed a 'dirty' php script 
instead of there being an issue with keeping any particular service on 
the box, or the os itself on the box up to date.

Here's a more detailed mail which might be of interest :


Begin forwarded message:

> Date: 22 November 2004 18:05:04 GMT
>
> Hi all,
>
> A kiddie ran an exploit against an old version of phpBB on the lug 
> server, and
> unfortunately got a shell.
>
> They did not manage to get escalated privileges, but did run 'rm -fr 
> /home';
>
> There are hardly any files owned by apache in that tree, but one of 
> the few
> casualties was our wiki 'database'.
>
> They didn't delete their .bash_history, and their IP address was 
> recovered
> from the deleted logs using debugfs.  Aren't some people stupid?




-- 
Regards, Andy Davidson
http://www.fotoserve.com/
Great quality prints from digital photos.