Re: [d-security] Debian Stable server hacked
On Wed, Aug 06, 2003 at 04:01:39PM +0200, Thijs Welman wrote:
> I'm puzzled about how they managed to get those processes running (as
> root). There are no local accounts, other than some accounts for the
> sysadmins. Does anyone have any idea how they might have done this?
Most times, servers are not cracked by somebody "logging in" and get
root permissions somehow but by somebody who convinces a running network
daemon like a web, database or mail server via means of buffer overflows
etc to execute arbitrary code instructions. This code will then e.g.
write a shell script and executes it or spanws a shell. You will never
see an atacker in your "last" log :-)
Try "nmap" to see which services are reachable from the network.