The hack of my gentoo today

[Boris Kavod]

(sorry for my bad English : I'm French)

I would like to share my experience of hack of today.

(P.S. : all the system strings are approximate ones. I saved logs but I'm reinstall my system so I can't see them)

My server "was" a Gentoo which haven't been updated from one or two month (yes, it's baaaad).

I'm behind a gateway with IPCop distribution (http://www.ipcop.org).

My server had several ports opened (FTP, SSH, HTTP and HTTPS).

Near 6H AM, my server was down but I saw it only at 10H AM without be able to do anythings (because at work).

When I came back, I saw differents problem :
"cat" was returning a seg fault
every services turned down
when I wanted to turn them up, I was said "only root can turn services up" (but I was root)
reboot didn't work

When I reseted, /bin/rc crashed.

I used a knoppix and chroot on my root HD. I did a ls and I see :
"entering to promiscuous mode"
So, I did a netstat which show me a connection to an unknown adress port 80 and from the ls process.

So, I unpluged the ethernet cable and I started a reinstall

after seeing my logs, I think it's apache which was the door.

If anyone is interresting, I can share my logs when I'll find them again.

[keli]

Probably not apache itself was the doorway, but rather some long time expired public web application, that might have been hosted there.

We have been broken into recently through an ancient awstats.cgi

There are a bunch of exploits for various web applications running over apache, that are easily exploitable.

Anyway, if you've found it out right away, than it was an amature.
_________________
"The future masters of technology will have to be lighthearted and intelligent. The machine easily masters the grim and the dumb."
Marshall McLuhan, 1969