Re: Please advise
From: Bill Unruh (unruh@string.physics.ubc.ca)Date: 05/27/02
- Next message: Akshay Saxena: "Unix Certification"
- Previous message: Bit Twister: "Re: Please advise"
- In reply to:(deleted message) Adrian Smith: "Please advise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: unruh@string.physics.ubc.ca (Bill Unruh) Date: 27 May 2002 00:46:23 GMT
adrian@snaffles.REMOVE_THIS_WORD.demon.co.uk (Adrian Smith) writes:
]Hello,
] I appear to have been hacked - which I find a little puzzling.
]Restoring the affected files, upgrading my system and removing
]all unwanted services is annoying but doable, but why would
]anyone have chosen me as a target?
Because they can now use your to launch an attack on say the Pentagon,
or wherever else they wish and you will be blamed, not they.
] Is there anything else I can do about it?
] It's annoying that us home users have to take this stuff seriously.
] I logged on today as I usually do to get my emails and download
]news from this pretty ancient Red Hat 5.2/2.0.36 kernel and all
]seemed well.
And for some reason had never ever bothered to install all of the
security updates which are required. Not surprising you got hacked.
] The second time I logged on, innd wouldn't start up because
]/var/log/new had gone missing as had a load of other log files
]including /var/log/wtmp.
]/var/log/secure contained the line:
]May 26 18:54:35 snaffles in.ftpd[1756]: connect from 194.19.96.146
]and /var/log/messages had the lines:
]May 26 18:54:40 snaffles ftpd[1756]: ANONYMOUS FTP LOGIN FROM
]194.19.96.146 [194.19.96.146], mozilla@
]May 26 18:56:03 snaffles ftpd[1756]: exiting on signal 11
]ls -altr ~ftp had the files:
And you left your anonymous ftp ( why are you running annonymous ftp--
are you really serving the world with some downloadable files?) open for
writing-- bad idea. Even without the breaking they could use your site
as a repository for kiddy porn or craker programs, and again, it is you,
not they who will get blamed.
]-rw-r--r-- 1 root bin 444172 May 26 18:44 gavish.tgz
]drwxr-xr-x 9 root system 1024 May 26 18:48 .
]- so the file was older than the ftp session and could only have
]been put there by root?
]The tar file contains the files:
]chattr.tgz logclear* ps* sl2* wget.tgz
] .save ifconfig* lpi* s_h_k sysinfo*
]bashrc* init* netstat* s_r_s tcp.log
]becys.cgi* install* pico.tgz sense* top*
]some which have overwritten my system files. /bin/netstat for
]example now looks at /dev/caca which contains the lines:
]1 194.105.23.229
]1 24.104.0
]1 194.102.225.235
]1 235.cablemodem-hfc05.cta.ro
]1 wan-hfc.cta.ro
]3 33053
]3 1025
]3 15051
]3 6667
]3 9752
]4 6667
]4 9752
]4 15051
]4 33133
]4 2222
]FWIW, the install file starts:
]#!/bin/bash
]# Made By ICE
] but after that I see no english. I don't recognise the language but
]samples include:
]echo "${WHI}---${RED} Verificam daca suntem ROOT ${WHI} !!!${RES}"
]echo "${RED}--- ${DRED}!!! ${RED}Atentie tu eshti de fapt \
]${YEL}$USERID${RED} si nu ${GRN}RooT ${DRED}!!!${RES}"
]echo "${WHI} Asta ii un ${BLU}ROOTKIT${WHI} deshteptule\
] si trebuie sa aiba ${GRN}uid=0${RES}"
]echo "${WHI} @@@ ${GRN}OK ${BLU}ADRIAN sau care eshti \
]pe acolo , de preferabil un HACKER:-)${GRN} .., deci sa bagam mare \
]${BLU}!!!${WHI}@@@${RES} "
]If I'm slow in responding to any helpful replies it might be because
]my upgrade is going badly.
Save all your home an other files, wipe the disk and reinstall, a newer
version of the OS. Then befor anything else go to Redhat and download
all of the security updates. Then search all the files which you restore
from your backup for suid root or sgid root files.
]Adrian Smith
]http://www.snaffles.demon.co.uk
- Next message: Akshay Saxena: "Unix Certification"
- Previous message: Bit Twister: "Re: Please advise"
- In reply to:(deleted message) Adrian Smith: "Please advise"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
