Hacked at Home
By Lincoln D. Stein
A few days ago I received an email from Bob Kaehms, editor in chief of Web Techniques, notifying me that his home network had been hacked into. He runs a Red Hat Linux server connected to his ISP via a high-speed Digital Subscriber Line (DSL). Weeks earlier hackers had discovered that Bob's server runs an old version of the IMAP remote mail access daemon, long known to contain a static buffer overflow bug. By exploiting this bug, presumably with the aid of a hacking kit, the Bad Guys were able to gain root access to Bob's machine and add a new user to the password file.
Bob discovered that something was amiss several days later when he happened to be reviewing the password file and found a new user entry named "moof" at the bottom. After removing the offending line, he reviewed the system logs and ultimately discovered error messages from IMAP, which he immediately disabled along with other services. "Gee, what could they possibly want with a 100MHz Pentium?" he thought to himself while trying to repair the damage. Aside from the new user account, it didn't seem as if the hackers had done any damage. Or had they? Since the Bad Guys had gained root access to the system there was no way of knowing for sure. They could have replaced system binaries with doctored versions, scattered Trojan horses about, or changed Bob's address book. They could have read Bob's personal email, or even -- heaven forbid -- changed the payment arrangements for Web Techniques columnists! There was no way to tell what might have been tampered with.
