[NCLUG] I was hacked!
Michael Dwyer
mdwyer at sixthdimension.com
Thu Dec 28 16:28:36 MST 2000
At 03:37 PM 12/28/00 -0700, you wrote:
>Ditto for one of our customers Rh6.2 machines which got hacked on 12/2. Didn't
>notice it until the bandwidth for the customer went way up due to it flooding
>a machine in NY.
I'm embarassed to report that when that happened to us, I just assumed that
the network card freaked out. I intended to check out the machine later,
because of the trojan'd tools, I didn't notice anything bad, so I just left
it off the network until the machine was needed again.
> I do hope you have made sure your machine isn't still
> compromised. check the md5sum of your /bin/ls file.
>
>On a RedHat systems "rpm -V -a | more" is a better tool. There is quite a
>point I would expect the root kit to include md5sum and tar too.
Ahyeah... Tripwire is the ideal solution, but for some reason it isn't
widely used, yet. (I think it was recently GPL'd, so that's not the
reason, eh?) John brings up a good point, though -- they usually get the
obvious tools, but miss the less obvious ones. You can get a file list
with "echo *", and get around a trojan'd find(1) with tar(1). My solution
was to boot from the LinuxCare bootable cd
(http://www.linuxcare.com/bootable_cd) to start the machine and look around
with known-good tools. Amazing what appeared...
(PS: The club needs to score us some LinuxCare bootable business cards!
They won't sell them! Doh! But you can get the ISO image!)
>containing the hackers tools/files ... including an IRC log of over a 100
>machines
>that were on the compromised network. From info in the IRC log, it appears
>they automatically segment the hacked network when it reaches a certain size.
>This probably allows for multiple hacked network segments to become
>compromised
>and shutdown ... but authorities never really can take them completely off
>the air.
You did your homework too! <grin> According to this article, that is
exactly what is going on: http://www.robertgraham.com/op-ed/magic-ddos.html
> Has anyone in the linux community thought about banding togather to
> actively hunt and kill these slobs? Effective coordination would be
> interestings, especially to minimize "moles" from diverting/hijacking
> the effort.
The tools to support this effort already exist. I was about to throw out my
anti-RedHat speech here, but you've already heard it, and didn't want to
hear me whining last time, either. Let me just say that I think it would
surely help a little if everyone made security the first thing they thought
about instead of the last. Why are so many Linux users suprised at how
many ports are open on their machine? Why don't more people follow the
security advisories? Why is Bastile such a secret?
That said, it is getting better. Auto-updating is becoming a reality. I'm
particularly impressed with -- put down those sticks! -- Windows
Update. It works well! (And good thing, too!) And now apparently RH7 now
does auto updates as well. Excellent!
I think it is all about education. I'd love to give a talk about security
sometime... I considered offering it up to the CSU-LUG, in return for
snagging the best book at their first meeting. <blush>
> They also added passwords to the lpd and ftp system accounts to telnet
in, > after
My hacker used a trojan'd inetd that gave a root shell if you telnetted to
a specific port and gave the right password. FWIW, it looks like they used
Linux Root Kit v3 by Lord Somer, or something similar. The script kiddie
used Pico to edit his configs! Bwahahahaha....
More information about the NCLUG
mailing list