Complete.Org: Mailing Lists: Archives: discussion: May 2000:
[aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking att 		Home

[aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking att

[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: discussion@xxxxxxxxx
Subject: [aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!)
From: Michael Holmes <maholmes@xxxxxxxxxx>
Date: Sat, 20 May 2000 17:44:07 -0500
Reply-to: discussion@xxxxxxxxx 
Hey, when I was attacked, I was using Kmail as /home/mike  NOT AS ROOT,  I have
encripted and shadow passwords and they popped right up on the screen that
night!   NOW I HAVE AN ENTIRE SENTENCE FOR MY ROOT PASSWORD!  When I picked the
first one, it said it was too weak;  now I understand!

On Thu, 18 May 2000, you wrote:
> Here's a third
> 
> -----Original Message-----
> From: owner-linux-admin@xxxxxxxxxxxxxxxx
> [mailto:owner-linux-admin@xxxxxxxxxxxxxxxx] On Behalf Of Julius C. Duque
> Sent: Wednesday, May 17, 2000 2:47 AM
> To: Jim Roland
> Cc: linux-net@xxxxxxxxxxxxxxxx; linux-admin@xxxxxxxxxxxxxxxx;
> linux-newbie@xxxxxxxxxxxxxxxx
> Subject: Re: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack:
> DOS attack, log file attached!)
> 
> 
> On Wed, 17 May 2000, Jim Roland wrote:
> 
> > Gee guess what!?!  I have the guy's IP address and host names.  Sorry, I
> > don't remember a guy's name who told me he ran the attachment as root and
> > found a file called ".rhosts", but it might be wise to cronicle your
> > information, look in your logs (messages and syslogs) and send what
> > information you have to Worldcom's Security department (email address noted
> > a few paragraphs below).  Also, immediately change all your passwords.  If
> > you were in as root, he did get your shadow file, and encrypted passwords
> > *can* be broken.  Change them immediately.  If the date of your .rhosts
> > file is at or just after the time of the attack, delete it.
> 
> That was me. The date of .rhosts on my /home dir was near the time I
> executed the trojan email. I have already deleted that .rhosts. I also
> noticed that sendmail had spawned a child process and was executing a
> program/script ./ex4XXXX or something similar (I can't recall the
> exact filename). I killed it, then decided to reboot the whole system
> afterwards.
> 
> The /etc/passwd on my machine have /dev/null for the shell of users.
> Only admins have /bin/bash shells. I also have tcp wrapper installed
> long before this event happened. So, even if this cracker cracks the
> admins' passwords, he still has to login first to our dialup before
> he can telnet to the main server. Of course, I've already changed the
> root's password, as well as informed the other admins to change
> theirs, too. Also, since the shell of "ordinary" users is set to
> /dev/null, a user still cannot enter the server. Without a
> legitimate login shell, the system will just log him/her out
> immediately after logging in. If you want, you could use
> /bin/false instead of /dev/null.
> 
> Additionally, it's a good thing that I configured /etc/securetty
> a long time ago so that root can only log on the console. The
> password field on non-human accounts (nobody, guest, ftp, shutdown,
> sync, bin, ftp, etc.) have long been disabled to shut out backdoors.
> 
> I have put all users (except for admins) on /etc/ftpusers, chmod 600,
> to prevent non-admins from using the ftp service long before this
> disaster happened. I've also checked my .procmailrc. Why? You could
> execute arbitrary commands using the following .procmailrc recipe:
> 
> :0:
> * $ ^Subject:[ ^I]*\/[ ^I].*
> | ${MATCH}
> 
> The ^I stands for <tab>. This recipe will execute anything that's
> on the subject line of an email. Imagine if this .procmailrc
> recipe is located on root's directory! Someone just sends an
> email to root with a Subject line: "rm -rf /" and BOOM! By-bye!
> 
> About the only thing I regret now is not installing Tripwire beforehand.
> Ouch!
> 
> > May 16 16:47:53 ns sendmail[26775]: NOQUEUE: SYSERR: putoutmsg
> (chi-qbu-nvb-vty13.as.wcom.net): error on output channel sending "220
> mail.roland.net ESMTP Sendmail 8.8.7/8.8.7; Tue, 16 May 2000 16:47:52 -0500":
> Broken pipe
> 
> I've been seeing this IP in /var/log/syslog for about a week now, trying
> unsuccessfully to telnet and ftp to my machine. Yes, you're right,
> this guy came from Chicago.
> >
> > We know he's in Chicago, we have his IP on 2 different occaisons, and know
> > of 2 systems he's hijacked.  The 2nd (mediaserve.net) is in California.
> 
> 
> Julius
> 
> -====---====---====---====---====---====---====---====---====---====---====-
>  to unsubscribe email "unsubscribe linux-admin" to majordomo@xxxxxxxxxxxxxxxx
>  See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/
> 
> 
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
-- 
Michael A. Holmes
---------------------------
A positive attitude may not solve all of your problems, but it will annoy
enough people to make it worth the effort

                                            Herm Albright

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
[Prev in Thread] Current Thread [Next in Thread]