topic Re: Hacked; recovering in Operating System - Linux

Hacked; recovering

Vernon Brown_2 — Wed, 14 Aug 2002 16:17:44 GMT

Hacker changed my root password and did much damage. I reformated and installed RH 7.1. Recovered my data from backups. Have everything going now except pop-3 service. I typed in the ipop3 entry in xinetd.d by memory and maybe missed something.

When I telnet to my.domain 110 I get "connection refused."

How can I know if pop-3 is running ? Here is my ipop3 entry in xinetd.d.

service pop-3
{
protocol = tcp
user = root
socket_type = stream
wait = no
server = /usr/local/sbin/popper qpopper -s
disable = no
}

$ ls -l /usr/local/sbin
total 124
-rwxr-xr-x 1 root root 120980 Aug 13 09:44 popper

Thanks and points for any help !

Re: Hacked; recovering

Ron Kinner — Wed, 14 Aug 2002 17:37:44 GMT

netstat -an |grep 110

should show if your PC is listening on port 110 which is pop3's usual port.

Ron

Re: Hacked; recovering

Vernon Brown_2 — Wed, 14 Aug 2002 17:54:04 GMT

Many Thanks !!

netstat -an | grep 110 returns empty. So can someone compare my pop-3 entry above with the RedHat ipop3 entry to see if it is correct.

Also; is there a way to update RedHat 7.1 to add stuff that was missed on the original install.

Re: Hacked; recovering

Ron Kinner — Wed, 14 Aug 2002 19:19:24 GMT

Don't see anything wrong with your xinet.d entry.

See if either of these helps.

http://a1392.g.akamaitech.net/7/1392/939/0002/www.eudora.com/download/eudora/qpopper/4.0/free/final/Qpopper.pdf

Also:
http://www.naspa.com/PDF/2001/0401%20PDF/T0104006.pdf

Use RPM to add stuff to your Linux.

Ron

Re: Hacked; recovering

Vernon Brown_2 — Wed, 14 Aug 2002 19:45:29 GMT

Thanks !

Do you happen to know the rpm module that contains the RedHat pop-3 server. Or what can I grep for on what CD of the 7.1 release.

Re: Hacked; recovering

Ron Kinner — Wed, 14 Aug 2002 21:22:37 GMT

I think it's hidden in the imap package:

http://isp-lists.isp-planet.com/isp-unix/0105/msg00093.html

Ron

Re: Hacked; recovering

Vernon Brown_2 — Wed, 14 Aug 2002 21:47:37 GMT

Thanks I'll see if I can rpm
the imap package.

Re: Hacked; recovering

Sorrel G. Jakins — Thu, 15 Aug 2002 03:22:42 GMT

Ron Kinner,

Why do you use
http://a1392.g.akamaitech.net/7/1392/939/0002/www.eudora.com/download/eudora/qpopper/4.0/free/final/Qpopper.pdf

and not just go straight to eudora like this:
http://www.eudora.com/download/eudora/qpopper/4.0/free/final/Qpopper.pdf

In other words, who is akamai, and why would you want to go there to redirect to eudora?

Sorrel Jakins, pointy-hair boss and no cap/crown/wizard hat.

Re: Hacked; recovering

Ron Kinner — Thu, 15 Aug 2002 12:32:37 GMT

Sorrel,

Got a page via a google search and then clicked on a link which had what I wanted and just copied what came up at the top. Too lazy to bother with figuring out what was the real URL.

Ron

Re: Hacked; recovering

Richard Chang — Fri, 16 Aug 2002 12:17:38 GMT

Akamai is just a caching web server. A lot of companies buy their service (cnn.com is another that uses them).

The basic gyst of it is, Akamai puts servers in regions of the US. And, depending on where you are located, the content you are trying to view is provided from the server closest to you.

One of the benefits to the Akamai customer is that their servers don't have to handle the load - Akamai has to deal with that.

So, in this particular case, the download you are trying to get was going to come from a Akamai server that is close to you. This is very beneficial if you are on the east coast, and the origin company is on the west coast.

-Rich