Re: Visited by a cracker

• Previous message: Per Christian B. Viken: "Visited by a cracker"
• In reply to: Per Christian B. Viken: "Visited by a cracker"
• Next in thread: Arthur Chan: "Re: Visited by a cracker"
• Reply: Arthur Chan: "Re: Visited by a cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 11 Jul 2004 20:39:25 -0400
To: focus-linux@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My first suggestion would be to ask the good people in
alt.os.linux.slackware for a bit of advice. Specifically I posted this
recent addendum to the FAQ there:

http://wombat.san-francisco.ca.us/faqomatic/cache/124.html

On Jul 11, 2004, at 10:45 AM, Per Christian B. Viken wrote:
> Is there anything else I should check out? Anywhere else some nasty
> exploits
> or trojans might be hiding? And should I try to find this guy? Or is it
> probably hopeless?

As mentioned in that article crackers often like to hide binaries in
strange places so searching /dev /tmp /var/tmp /usr/src/linux et cetera
isn't just paranoid, it could be a good idea. However in this case I
don't think you've got that much to worry about. The cracker obviously
wasn't smart enough to remove his own .bash_history, and probably
didn't insert that kmod either (I still wouldn't trust modprobe,
insmod, or that kernel however. A little paranoia never hurt anyone).
Of course the only way to be 100% certain that you don't have any
backdoors open is to wipe the box clean and re-install.

Finding the guy is probably hopeless given that all his IPs are in
other countries (I'm going by the whois info on angryadmin.net here).
Still, you could give it a shot, and at least alert whoever owns those
boxen that they have a cracker among their ranks. I'd say as a good
netizen you have that obligation at least.

- --

It is better to hear the rebuke of the wise,
Than for a man to hear the song of fools.
Ecclesiastes 7:5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQFA8d29lKR45I6cfKARAjrZAJ91Q2RiPS0Z9N21H5gDIDcESEWynQCfWert
oA0psjuIOJNBg1YIQHtVnFc=
=HDZe
-----END PGP SIGNATURE-----

• Previous message: Per Christian B. Viken: "Visited by a cracker"
• In reply to: Per Christian B. Viken: "Visited by a cracker"
• Next in thread: Arthur Chan: "Re: Visited by a cracker"
• Reply: Arthur Chan: "Re: Visited by a cracker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Visited by a cracker ... Is it at all possible that the cracker tampered his .bash_history and left ... it there to fool you? ... >> probably hopeless? ... > isn't just paranoid, it could be a good idea. ... (Focus-Linux) RE: Visited by a cracker ... There have been several suggestions to wipe the ... The cracker was given a shell by the administrator. ... > it there to fool you? ... >> isn't just paranoid, it could be a good idea. ... (Focus-Linux) Re: Visited by a cracker ... code, and i know that i use code writen by others, so i dont pretend to be ... I doubt your cracker want you calling him at home to ... > it there to fool you? ... >> isn't just paranoid, it could be a good idea. ... (Focus-Linux)