[NCLUG] I was hacked!

NIESEWAND,OLIVER (Non-HP-FtCollins,ex1) oliver_niesewand at non.hp.com
Thu Dec 28 15:05:04 MST 2000


I 0wN y00r @zz, DWY3R!!!

tH@ m at Tr1x h at Z y00.

-----Original Message-----
From: Michael Dwyer [mailto:mdwyer at sixthdimension.com]
Sent: Thursday, December 28, 2000 2:55 PM
To: nclug at nclug.org
Subject: Re: [NCLUG] I was hacked!


At 02:24 PM 12/28/00 -0700, you wrote:
>I posted a couple of weeks ago asking about enabling telnet.  Well, I
>think it, or ftp got me hacked into over the weekend.  Somebody gained

I would bank on FTP.  WuFTP has been a regular feature on BugTRAQ.  It has 
got a number of problems, and I think it is being actively exploited, 
possibly by automated tools.

>access, created two user accounts and ended uploading and compiling the
>source for a port sniffer/hacker program in "/root/..    /scan/".

Look for other things, as well -- my visitor was running a sniffer, but his 
(her?) real reason for being here was to install an IRC bot, BNC proxy and 
a DDoS flooding client.

>Pretty tricky, but they left footprints in the .bash_history files.

Most of my .bash_history files were symlinked to /dev/null.  It would be an 
interesting honeypot experiment to make the system actually /save/ what 
went into /dev/null somewhere...

>Since I found this out and shut down the services, I've been getting
>like 3 or 4 login attempts a day from other Redhat 6.2 installs.  I'm
>running the standard 6.2 workstation install, the telnet and ftp servers
>are off the distribution.

I do hope you have made sure your machine isn't still compromised.  My 
hacker installed a rootkit that hid his traces rather well.  If I wouldn't 
have been looking for them, I never would have found them.  For grins, 
check the md5sum of your /bin/ls file.  On an clean RedHat i386 'Zoot' 
install, it looks like this:  (Forgive errors...  Typed by hand! If there 
is any difference, they key would be WAY off.)

# md5sum /bin/ls
/bin/ls: 5ec59b9c05706b4ce65adf44d0d3ab24

If this tests fails, you have larger problems.  For what it is worth, there 
are a number of other tests, but they usually attack ls at the very least.

>Luckily, the hack was on one of my home lab machines.  I had just set it
>up for 1394-Linux driver stuff only, so no real work was compromised,
>just my ego.  If anyone is interested in seeing how they did it (I saved
>most of the logs and the bash_historys) I can post the logs and source
>on the reflector.

Oh, I'm very curious!  Know thy enemy, eh?

>I guess the moral of the story is "Firewalls are your friend".

Firewalls can only protect you against so much...  But they are a helluva 
lot better than putting a crisp, clean, unpatched Linux box out on a decent 
network connection.  You're just /inviting/ trouble.


_______________________________________________
NCLUG mailing list
NCLUG at nclug.org
http://www.nclug.org/mailman/listinfo/nclug



More information about the NCLUG mailing list