[NCLUG] I was hacked!
NIESEWAND,OLIVER (Non-HP-FtCollins,ex1)
oliver_niesewand at non.hp.com
Thu Dec 28 15:05:04 MST 2000
I 0wN y00r @zz, DWY3R!!!
tH@ m at Tr1x h at Z y00.
-----Original Message-----
From: Michael Dwyer [mailto:mdwyer at sixthdimension.com]
Sent: Thursday, December 28, 2000 2:55 PM
To: nclug at nclug.org
Subject: Re: [NCLUG] I was hacked!
At 02:24 PM 12/28/00 -0700, you wrote:
>I posted a couple of weeks ago asking about enabling telnet. Well, I
>think it, or ftp got me hacked into over the weekend. Somebody gained
I would bank on FTP. WuFTP has been a regular feature on BugTRAQ. It has
got a number of problems, and I think it is being actively exploited,
possibly by automated tools.
>access, created two user accounts and ended uploading and compiling the
>source for a port sniffer/hacker program in "/root/.. /scan/".
Look for other things, as well -- my visitor was running a sniffer, but his
(her?) real reason for being here was to install an IRC bot, BNC proxy and
a DDoS flooding client.
>Pretty tricky, but they left footprints in the .bash_history files.
Most of my .bash_history files were symlinked to /dev/null. It would be an
interesting honeypot experiment to make the system actually /save/ what
went into /dev/null somewhere...
>Since I found this out and shut down the services, I've been getting
>like 3 or 4 login attempts a day from other Redhat 6.2 installs. I'm
>running the standard 6.2 workstation install, the telnet and ftp servers
>are off the distribution.
I do hope you have made sure your machine isn't still compromised. My
hacker installed a rootkit that hid his traces rather well. If I wouldn't
have been looking for them, I never would have found them. For grins,
check the md5sum of your /bin/ls file. On an clean RedHat i386 'Zoot'
install, it looks like this: (Forgive errors... Typed by hand! If there
is any difference, they key would be WAY off.)
# md5sum /bin/ls
/bin/ls: 5ec59b9c05706b4ce65adf44d0d3ab24
If this tests fails, you have larger problems. For what it is worth, there
are a number of other tests, but they usually attack ls at the very least.
>Luckily, the hack was on one of my home lab machines. I had just set it
>up for 1394-Linux driver stuff only, so no real work was compromised,
>just my ego. If anyone is interested in seeing how they did it (I saved
>most of the logs and the bash_historys) I can post the logs and source
>on the reflector.
Oh, I'm very curious! Know thy enemy, eh?
>I guess the moral of the story is "Firewalls are your friend".
Firewalls can only protect you against so much... But they are a helluva
lot better than putting a crisp, clean, unpatched Linux box out on a decent
network connection. You're just /inviting/ trouble.
_______________________________________________
NCLUG mailing list
NCLUG at nclug.org
http://www.nclug.org/mailman/listinfo/nclug
More information about the NCLUG
mailing list