Complete.Org: Mailing Lists: Archives: discussion: May 2000:
[aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking att

[aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking att

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	discussion@xxxxxxxxx
Subject:	[aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!)
From:	Jonathan Hall <jonhall@xxxxxxxxxxxx>
Date:	Sat, 20 May 2000 21:05:35 -0500
Reply-to:	discussion@xxxxxxxxx

Just as a side note... traditionally on UNIX systems, only the first 8
characters of the password are relevant.  On some Linux systems, it's as
many as 16 (and can be set to more, if you want).

In other words...

a0b1c2d3e4f5g6h7i8j9

is the same as:

a0b1c2d3e4

Adding more than 8 (or 16) characters has no effect on security.  Try it
sometime... try just typing the first 8 characters of your password--you'll
probably get logged in.  If not, try just the first 16 :-)


On Sat, May 20, 2000 at 05:44:07PM -0500, Michael Holmes wrote:
> Hey, when I was attacked, I was using Kmail as /home/mike  NOT AS ROOT,  I 
> have
> encripted and shadow passwords and they popped right up on the screen that
> night!   NOW I HAVE AN ENTIRE SENTENCE FOR MY ROOT PASSWORD!  When I picked 
> the
> first one, it said it was too weak;  now I understand!
> 
> On Thu, 18 May 2000, you wrote:
> > Here's a third
> > 
> > -----Original Message-----
> > From: owner-linux-admin@xxxxxxxxxxxxxxxx
> > [mailto:owner-linux-admin@xxxxxxxxxxxxxxxx] On Behalf Of Julius C. Duque
> > Sent: Wednesday, May 17, 2000 2:47 AM
> > To: Jim Roland
> > Cc: linux-net@xxxxxxxxxxxxxxxx; linux-admin@xxxxxxxxxxxxxxxx;
> > linux-newbie@xxxxxxxxxxxxxxxx
> > Subject: Re: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack:
> > DOS attack, log file attached!)
> > 
> > 
> > On Wed, 17 May 2000, Jim Roland wrote:
> > 
> > > Gee guess what!?!  I have the guy's IP address and host names.  Sorry, I
> > > don't remember a guy's name who told me he ran the attachment as root and
> > > found a file called ".rhosts", but it might be wise to cronicle your
> > > information, look in your logs (messages and syslogs) and send what
> > > information you have to Worldcom's Security department (email address 
> > > noted
> > > a few paragraphs below).  Also, immediately change all your passwords.  If
> > > you were in as root, he did get your shadow file, and encrypted passwords
> > > *can* be broken.  Change them immediately.  If the date of your .rhosts
> > > file is at or just after the time of the attack, delete it.
> > 
> > That was me. The date of .rhosts on my /home dir was near the time I
> > executed the trojan email. I have already deleted that .rhosts. I also
> > noticed that sendmail had spawned a child process and was executing a
> > program/script ./ex4XXXX or something similar (I can't recall the
> > exact filename). I killed it, then decided to reboot the whole system
> > afterwards.
> > 
> > The /etc/passwd on my machine have /dev/null for the shell of users.
> > Only admins have /bin/bash shells. I also have tcp wrapper installed
> > long before this event happened. So, even if this cracker cracks the
> > admins' passwords, he still has to login first to our dialup before
> > he can telnet to the main server. Of course, I've already changed the
> > root's password, as well as informed the other admins to change
> > theirs, too. Also, since the shell of "ordinary" users is set to
> > /dev/null, a user still cannot enter the server. Without a
> > legitimate login shell, the system will just log him/her out
> > immediately after logging in. If you want, you could use
> > /bin/false instead of /dev/null.
> > 
> > Additionally, it's a good thing that I configured /etc/securetty
> > a long time ago so that root can only log on the console. The
> > password field on non-human accounts (nobody, guest, ftp, shutdown,
> > sync, bin, ftp, etc.) have long been disabled to shut out backdoors.
> > 
> > I have put all users (except for admins) on /etc/ftpusers, chmod 600,
> > to prevent non-admins from using the ftp service long before this
> > disaster happened. I've also checked my .procmailrc. Why? You could
> > execute arbitrary commands using the following .procmailrc recipe:
> > 
> > :0:
> > * $ ^Subject:[ ^I]*\/[ ^I].*
> > | ${MATCH}
> > 
> > The ^I stands for <tab>. This recipe will execute anything that's
> > on the subject line of an email. Imagine if this .procmailrc
> > recipe is located on root's directory! Someone just sends an
> > email to root with a Subject line: "rm -rf /" and BOOM! By-bye!
> > 
> > About the only thing I regret now is not installing Tripwire beforehand.
> > Ouch!
> > 
> > > May 16 16:47:53 ns sendmail[26775]: NOQUEUE: SYSERR: putoutmsg
> > (chi-qbu-nvb-vty13.as.wcom.net): error on output channel sending "220
> > mail.roland.net ESMTP Sendmail 8.8.7/8.8.7; Tue, 16 May 2000 16:47:52 
> > -0500":
> > Broken pipe
> > 
> > I've been seeing this IP in /var/log/syslog for about a week now, trying
> > unsuccessfully to telnet and ftp to my machine. Yes, you're right,
> > this guy came from Chicago.
> > >
> > > We know he's in Chicago, we have his IP on 2 different occaisons, and know
> > > of 2 systems he's hijacked.  The 2nd (mediaserve.net) is in California.
> > 
> > 
> > Julius
> > 
> > -====---====---====---====---====---====---====---====---====---====---====-
> >  to unsubscribe email "unsubscribe linux-admin" to 
> > majordomo@xxxxxxxxxxxxxxxx
> >  See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/
> > 
> > 
> > -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> > visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi
> -- 
> Michael A. Holmes
> ---------------------------
> A positive attitude may not solve all of your problems, but it will annoy
> enough people to make it worth the effort
> 
>                                             Herm Albright
> 
> -- This is the discussion@xxxxxxxxx list.  To unsubscribe,
> visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi

--
Tech Support: "What version of the Mac OS are you using?"
Customer: "Word 6.0."
--
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Jonathan Hall  *  jonhall@xxxxxxxxxxxx  *  PGP public key available
 Systems Admin, Future Internet Services; Goessel, KS * (316) 367-2487
         http://www.futureks.net  *  PGP Key ID: FE 00 FD 51
                  -=  Running Debian GNU/Linux  =-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi

[Prev in Thread]

Current Thread

[Next in Thread]

[aclug-L] FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!), Dale W Hodge, 2000/05/18
- [aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!), Michael Holmes, 2000/05/20
  - [aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!), Jonathan Hall <=
    - [aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!), John Goerzen, 2000/05/23

Prev by Date: [aclug-L] Trailing Edge Warehouse Sale
Next by Date: [aclug-L] TigerDirect dot com has devoted 3 full pages just to linux
Previous by thread: [aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!)
Next by thread: [aclug-L] Re: FW: Gee...guess what?! (was URGENT!!!!!!! Pine hacking attack: DOS attack, log file attached!)
Index(es):
- Date
- Thread