Re: hacked again...

Posted by Alexander Galloway | Tue Nov 30th 2004 7:57 p.m.

a quick port scan with nmap reveals that you have lots of ports open,
meaning lots of security vulnerabilities:

Interesting ports on 212.67.198.29:
(The 1646 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp?
23/tcp open telnet Linux telnetd
25/tcp open smtp Sendmail smtpd 8.10.2/8.10.2
53/tcp open domain ISC Bind 8.2.7-REL
80/tcp open http Apache httpd 1.3.20
81/tcp open http Apache httpd 1.3.20 (Sun Cobalt (Unix)
mod_ssl/2.8.4 OpenSSL/0.9.6b mod_auth_pam_external/0.1 mod_perl/1.25)
110/tcp open pop3 Qpop pop3d ?
143/tcp open imap UW imapd 2003.338
444/tcp open http Apache httpd 1.3.20 (Sun Cobalt (Unix)
mod_ssl/2.8.4 OpenSSL/0.9.6b mod_auth_pam_external/0.1 mod_perl/1.25)
3000/tcp open ppp?
3001/tcp open nessusd?
27665/tcp filtered Trinoo_Master
31337/tcp filtered Elite
Device type: general purpose
Running: Linux 2.1.X|2.2.X
OS details: Linux 2.1.19 - 2.2.25, Linux 2.2.13
Uptime 9.406 days (since Sun Nov 21 11:45:28 2004)

hmmmm something called "Elite" running on port 31337? "Trinoo_Master"?
bingo. you've been haxored. marc, do you administer your own machine?
if so, i would back up your email and web files, then unplug it from
the network and do a fresh install following strict security rules for
locking down your box. you really should only have ports open for http
and ssh (and pop3/imap/smtp if you really need this machine for email).
do you really need three apaches running? also, ftp and telnet are not
secure, don't use them (sftp and ssh have replaced them).

remember, hackers are rarely "deliberate"... only opportunistic. don't
take it personally. if you compromise yourself, they will come.

hope that helps.

-ag

On Nov 30, 2004, at 6:45 PM, marc garrett wrote:

> hacked again...
>
> hi everyone,
>
> This is marc garrett from furtherfield.org - well it looks like after
> all the hard work that he have spent getting the server back into
> action again, updating it making it (supposedly) vulnerable was a
> waste of time...
>
> Once again, the server has been hacked. This time we feel that it is a
> deliberate action to attack us or someone else on the server.
>
> If anyone wishes to contact me regarding furtherfield things...
>
> or with related information regarding other servers that have been
> hacked as well, like irational.org & southspace.org (who are now back
> online again), or who might have some idea of who it is, actively
> trying stop all of us, on the server from continuing our creative and
> progressive net art functions. We would be most grateful.
>
> wishing you all the best...
>
> marc garrett
>
> my temporary email is:
> a8theist@yahoo.co.uk
> +
> -> post: list@rhizome.org
> -> questions: info@rhizome.org
> -> subscribe/unsubscribe: http://rhizome.org/preferences/subscribe.rhiz
> -> give: http://rhizome.org/support
> -> visit: on Fridays the Rhizome.org web site is open to non-members
> +
> Subscribers to Rhizome are subject to the terms set out in the
> Membership Agreement available online at http://rhizome.org/info/29.php
>

--------------------------------------------
Alexander Galloway, Assistant Professor, NYU
-- http://itserve.cc.ed.nyu.edu/galloway/ --

<article>
"Social Realism in Gaming," Game Studies
(http://gamestudies.org/0401/galloway)
</article>

<book>
"Protocol," MIT Press (http://mitpress.mit.edu/protocol)
</book>
Your Reply