Re: Strange command histories in hacked shell server

From: Ganbold (ganbold_at_micom.mng.net)
Date: 12/19/04

  • Next message: Harald Nesland: "Re: SSH scans..." 
    Date: Sun, 19 Dec 2004 18:00:36 +0800
To: Valdis.Kletnieks@vt.edu

    At 03:37 AM 12/18/2004, you wrote:
    >On Fri, 17 Dec 2004 09:19:26 +0800, Ganbold said:
    > > Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
    > > home/tsgan/.tmp/known_hosts.
    > > I don't know why.
    >
    >Have you considered maybe "Save a copy in .tmp before uploading/updating
    >it, just in case I screw up"? :)

    No, I think I didn't do that.

    > > sleep - tsgan ttyp0 0.00 secs Tue Dec
    > 14 00:27
    > > ^^^^^^
    > > stty - tsgan ttyp0 0.00 secs Tue Dec
    > 14 00:27
    > > stty - tsgan ttyp0 0.00 secs Tue Dec
    > 14 00:27
    > > ^^^^^^
    > > fortune - tsgan ttyp0 0.00 secs Tue Dec
    > 14 00:27
    > > ...
    > >
    > > I don't quite understand why he used sleep and stty commands in above.
    > > My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
    >
    >My suspect is that your .login contains a 'fortune', an 'stty' or two, and
    >a 'sleep',
    >and those happened at login

    I think probably not. Because standard FreeBSD .login contains only
    following line:

    [ -x /usr/games/fortune ] && /usr/games/fortune freebsd-tips

    > - the first *real* command actually issued was
    >probably a 'su -c cat something', after which the person logged out,
    >causing the
    >login 'sh' and 'sshd' to exit.

    stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
    stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
    ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
    id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
    ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
    cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:23
    su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 00:23
    cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
    sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
    stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
    stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
    fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
    ...
    Do you know what does "#C:5:0x2" mean? I still don't know what it is.
    Do you have some idea?

    thanks,

    Ganbold

  • Next message: Harald Nesland: "Re: SSH scans..."

    Relevant Pages

    • Re: Phantom Running "login scripts" - Need help eliminating
      ... "running login scripts". ... causing it to hang for so long. ... causing the 2 servers to hang at attempting to run "login scripts". ...
      (microsoft.public.windows.server.active_directory)
    • Earthdesk ate your Mac?
      ... was causing their Mac to kernel panic on login. ... Removed all traces, ...
      (uk.comp.sys.mac)
    • Exchange Web Access - Log In Question - SBS 2003
      ... While trying to resolve a VPN connection problem to my server, ... evidently changed a setting that is now causing the user to have to log in ... attempt allows the user to login. ...
      (microsoft.public.windows.server.sbs)
    • Re: users have to login again.
      ... Faulty network switch?? ... > where can I start to look for what is causing most of the users in a small ... > netowrk to have to login again while they are working - seems to happen ...
      (microsoft.public.windows.server.sbs)
    • RE: login dialog keeps appearing
      ... just using the standard lists and discussions. ... the web part could be causing the ... > authentication. ... When i first created the site all login ...
      (microsoft.public.sharepoint.portalserver)