Complete.Org: Mailing Lists: Archives: discussion: January 2001:
[aclug-L] I have been hacked!!!, I think.
Home

[aclug-L] I have been hacked!!!, I think.

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: "aclug-L@xxxxxxxxxxxx" <aclug-L@xxxxxxxxxxxx>
Subject: [aclug-L] I have been hacked!!!, I think.
From: "Carl B. Davis" <cdavis@xxxxxxxxxxxxx>
Date: Mon, 29 Jan 2001 11:42:29 -0600
Reply-to: discussion@xxxxxxxxx

Greetings,

Long time lurker here.  I have a RH 6.0 server on my small lan.  Use
IPMasq and dial up connection.  Came in this morning and had a very
unusual message waiting for me.  An attempt by root@localhost to send an
email to pureevil_op@xxxxxxxxxxx had bounced.  I have dug around my
system and find that Mr. Evil added himself and ftpdx (whatever that is)
as users.  Set himself up in the Home directory and sniffed out all the
other users and passwords for the system, including those for root.
Then he tried to send it out through sendmail from my system.  His
message got caught up in my Sendmail, and I don't think it has been
forwarded.  Following are some logs from my system that show the break
in.  It appears he simply telneted in.  I like having telnet and ftp
turned on, but do not absolutely have to have it.  I have terminated it
now until I decide what to do.  According to the bounce message, my
sendmail will keep trying to deliver the email until February 1, 01.  I
want to kill the message, but it is not in my sendmail queue.  Any
ideas.  I also suppose I should report it to the FBI, for all it's
worth.  Any other thoughts are appreciated, (other than telling me I'm
dumb not to have had better security).

Carl


Record of Logins:
Login from this address:
Jan 18 12:01:20 bigserver login: LOGIN ON 0 BY evil FROM
dsl-216-227-79-121.telocity.com



From the messages log:
?Jan 18 11:45:59 bigserver kernel: lp0: using parport0 (polling).
Jan 18 11:47:13 bigserver
Jan 18 11:47:13 bigserver syslogd: Cannot glue message parts together
Jan 18 11:47:13 bigserver 173>Jan 18 11:47:13 rpc.statd[394]:
gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff7
4c 8049850       0687465
676274736f6d616e797265206520726f7220726f66

      bffff718
           bffff719  bffff71a

bffff71b


Jan 18 11:47:13 bigserver



          1Àë|Y?A^P?A^HþÀ?A^D?ÃþÀ?^A?fÍ ³^B?Y^LÆA^N?ÆA^H^P?I^D
A^D^L?^A?fÍ ³
^D?fÍ ³^E0À?A^D?fÍ ?Î?Ã1É??Í þÁ??Í þÁ??Í Ç^F/binÇF^D/shA
0À?F^G?v^L V^P N^L?ó?^KÍ ?^AÍ ÿÿÿ
Jan 18 11:55:01 bigserver adduser[1671]: new group: name=evil, gid=518
Jan 18 11:55:01 bigserver adduser[1671]: new user: name=evil, uid=518,
gid=518,
home=/home/evil, shell=/bin/bash
Jan 18 11:55:28 bigserver adduser[1674]: new user: name=ftpdx, uid=0,
gid=0,
home=/home/ftpdx, shell=/bin/bash
Jan 18 11:56:37 bigserver PAM_pwdb[1677]: password for (ftpdx/0) changed
by ((null)/0)
Jan 18 11:57:55 bigserver PAM_pwdb[1683]: password for (evil/518)
changed by ((null)/0)
Jan 18 12:01:20 bigserver PAM_pwdb[1700]: (login) session opened for
user evil by (uid=0)
Jan 18 12:01:58 bigserver PAM_pwdb[1724]: (su) session opened for user
ftpdx by
evil(uid=518)
Jan 18 12:08:05 bigserver kernel: httpd uses obsolete
(PF_INET,SOCK_PACKET)
Jan 18 12:08:05 bigserver kernel: device eth0 entered promiscuous mode
Jan 18 12:08:06 bigserver userdel[1801]: delete user `ftp'
Jan 18 12:08:06 bigserver userdel[1801]: remove group `ftp'
Jan 18 12:08:11 bigserver PAM_pwdb[1724]: (su) session closed for user
ftpdx
Jan 18 12:08:14 bigserver PAM_pwdb[1700]: (login) session closed for
user evil
Jan 18 12:08:23 bigserver kernel: parport0: PC-style at 0x378 [SPP]
Jan 18 12:08:23 bigserver kernel: parport0: Printer, Hewlett-Packard HP
LaserJet 4000 Series
Jan 18 12:08:23 bigserver kernel: lp0: using parport0 (polling).
Jan 18 12:20:58 bigserver kernel: lp0: using parport0 (polling).
Jan 18 12:31:42 bigserver ftpd[2246]: FTP session closed
Jan 18 12:57:41 bigserver kernel: parport0: PC-style at 0x378 [SPP]
Jan 18 12:57:42 bigserver kernel: parport0: Printer, Hewlett-Packard HP
LaserJet 4000 Series



This was from maillog.2

[root@bigserver log]# grep evil maillog.2 | more
Jan 18 12:08:08 bigserver sendmail[1785]: MAA01772:
to=pureevil_op@xxxxxxxxxxx,
ctladdr=root (0/0), delay=00:00:03, xdelay=00:00:03,
 mailer=esmtp, relay=mc2.law5.hotmail.com. [216.32.243.135], stat=Sent
(Requested mail
action okay, completed)
Jan 20 11:03:02 bigserver sendmail[553]: LAA00549:
to=pureevil_op@xxxxxxxxxxx,
ctladdr=root (0/0), delay=00:00:00, xdelay=00:00:00,
mailer=esmtp, relay=hotmail.com, stat=Deferred: Name server:
hotmail.com: host name lookup
failure
Jan 20 11:04:37 bigserver sendmail[648]: LAA00549:
to=pureevil_op@xxxxxxxxxxx,
ctladdr=root (0/0), delay=00:01:35, xdelay=00:00:43,
mailer=esmtp, relay=mc6.law5.hotmail.com. [216.33.238.136], stat=Sent
(Requested mail action
okay, completed)
[root@bigserver log]#


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]
  • [aclug-L] I have been hacked!!!, I think., Carl B. Davis <=