- Well the defaced website says it has been rooted, which means that the intruders have gained root access to the machine. Root is the master user on a unix machine. If this is the case then at the very least, passwords need to be changed and files restored. It could just be BS too. Maybe just the web server software (apache?) was vulnerable, and maybe the damage was just limited to that, but I don't know enough about the machine to say what is what. They busted in somehow. It was probably an automated attack, some sort of worm. Usually when something like this happens a clean install of the OS with the most recent software is the best answer. It not be necesary. Id try http://www.chkrootkit.org/ first and see if it can be cleaned up. The point of entry needs to be identified as well. If the box is hardened, then it's probably the web server software. I port scan of the machine shows: Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-12-23 07:36 CST Interesting ports on 66.78.41.199: (The 1628 ports scanned but not shown below are in state: closed) Port State Service 1/tcp open tcpmux 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 32/tcp open unknown 53/tcp open domain 80/tcp open http 110/tcp open pop-3 111/tcp open sunrpc 143/tcp open imap2 443/tcp open https 465/tcp open smtps 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 6666/tcp open irc-serv Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.20 - 2.4.21 w/grsecurity.org patch Uptime 22.518 days (since Sun Nov 30 19:10:16 2003) Nmap run completed -- 1 IP address (1 host up) scanned in 20.443 seconds root@yutty:/home/andy# Port 111 should really be blocked on a machine out in the wild, and if mysql does nothing but serve data to (apache) then it should be blocked to the outside world as well. imap has serious security issues if it's not up to date. apache is allways being updated because of security issues. ftp is kind of redundant with ssh running seeing as how putty supports sftp nowdays. I could go on and on. I'm not going to poke at the box any more than this port scan unless someone tells me to. Merry Christmas to us all. Andy (Yutty) --- Dave <d-a-v-e@xxxxxxxxxx> wrote: > - > What does it mean to be rooted? > > Do we simply need to replace files or change all the > passwords? > > Dave > > Andy Sims wrote: > > > - > > > > Well I suppose it would considering the list is > hosted > > by freelists.org > > > > Duh, should have thought of that. > > > > Glen or whoever keeps the SLAGA site up, if you > could > > use some help cleaning up this mess let me know. > > > > What a bummer, > > > > Andy (Yutty) > > > > --- Andy Sims <yutty_666@xxxxxxxxx> wrote: > > > - > > > > > > I just tried to visit the home page and it looks > > > like > > > the box has been cracked. I'm sending this to > see > > > if > > > the list is still working. > > > > > > __________________________________ > > > Do you Yahoo!? > > > New Yahoo! Photos - easier uploading and > sharing. > > > http://photos.yahoo.com/ > > > > > > > > > **************************************************************************** > > > Our WebPage! Http://WWW.GeoStL.com > > > Mail List Info. > > > > > > //www.freelists.org/cgi-bin/list?list_id=geocaching > > > Mail List FAQ's: > > > //www.freelists.org/help/questions.html > > > > > > > > > **************************************************************************** > > > To unsubscribe from this list: > > > send an email to > geocaching-request@xxxxxxxxxxxxx > > > with 'unsubscribe' in the Subject field > > > > > > > > > > > > > > > > __________________________________ > > Do you Yahoo!? > > New Yahoo! Photos - easier uploading and sharing. > > http://photos.yahoo.com/ > > > **************************************************************************** > > Our WebPage! Http://WWW.GeoStL.com > > Mail List Info. > //www.freelists.org/cgi-bin/list?list_id=geocaching > > Mail List FAQ's: > //www.freelists.org/help/questions.html > > > **************************************************************************** > > To unsubscribe from this list: > > send an email to geocaching-request@xxxxxxxxxxxxx > with 'unsubscribe' in the Subject field > > > **************************************************************************** > Our WebPage! Http://WWW.GeoStL.com > Mail List Info. > //www.freelists.org/cgi-bin/list?list_id=geocaching > Mail List FAQ's: > //www.freelists.org/help/questions.html > > **************************************************************************** > To unsubscribe from this list: > send an email to geocaching-request@xxxxxxxxxxxxx > with 'unsubscribe' in the Subject field > > > > __________________________________ Do you Yahoo!? New Yahoo! Photos - easier uploading and sharing. http://photos.yahoo.com/ **************************************************************************** Our WebPage! Http://WWW.GeoStL.com Mail List Info. //www.freelists.org/cgi-bin/list?list_id=geocaching Mail List FAQ's: //www.freelists.org/help/questions.html **************************************************************************** To unsubscribe from this list: send an email to geocaching-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field