locked down a ftp server that the french hoodlums hosed via anonymous ftp. Turned off nfs etc but forgot to turn off rpc.statd. Got a call on monday asking if I had added a user called admin with a uid of 0. OH! SH*T! log files empty ps and a lot of other files changed in bin, ssh session going out port 6006 and I liked the hosts.allow file. Looked entirely normal until I did a cat - vet hosts.allow. 60 carriage returns followed by the the line ALL:ALL:.dk. We back up nightly so found the date of the passwd file change, did a find on all files changed on or after then restored from tape to get the pertinent logs. Got the little bastard. logged in from a c class network, got his ippaddress and his resolved name which was a ip hanging off of a adsl modem in Denmark. Now that id could have been a university address or whatever but a ftp session was started on Sept 27th and denied because we had turned off anonymous. Must have pissed him off because the logs show continuous bufferoverun on rpc.statd from there till he got in and put in a root kit. After rooting the box he did a telnet from the same resolved name and was mucking in the system. Gave the harddrive to security for Munich Legal and rebuilt from scratch making sure we went by a checklist this time to turn it all off.
thanx,
bill