Security Incidents mailing list archives
Re: hacked @home with logs and info..
From: shadoze () FREEWWWEB COM (Shadow Boxer)
Date: Thu, 8 Jun 2000 13:44:29 -0400
nmorgowicz () RALCOIND COM wrote:
Hey all, this is my scenario. I was logged in to my home box, running a modified version of Mandrake 7.0 when i noticed a friend on my box but coming from a box in japan. That sparked some interest, so i checked the last logins, and noticed that someone from a few more places had logged in as him as well.. Here's a paste of some of the information and ip's where he came from: 210.105.178.10 ns.nek.co.jp modemcable056.1-201-24.sherb.mc.videotron.net mail.almustaqbal.com.lb cr215768-a.hnsn1.on.wave.home.com <-- used three times www2.swan.me.ynu.ac.jp What i also noticed, is that he had two BitchX clients running, with one connecting to port 1080 to cafemartin.com, but having it say: Jun 6 17:24:14 localhost named[1002]: Lame server on 'cafemartin.com' (in 'cafemartin.com'?): [216.173.223.2].53 'SHIT-HAPPENS-AT.L7.NET' I'm also logging identd messages, and have noticed root being resolved. Jun 6 08:20:36 localhost oidentd[18927]: Connection from 216.22.10.10:3806 Jun 6 08:20:36 localhost oidentd[18927]: [216.22.10.10] Successful lookup: 1235 , 6667 : root (root) And no, i don't run irc as root. :) In the logs, i've also found this, which i think is a bit unusual: Jun 6 13:58:42 localhost named[1002]: bad iquery from 127.0.0.1 Jun 6 13:59:30 localhost last message repeated 2 times Jun 6 13:59:59 localhost named[1002]: bad iquery from 127.0.0.1 Well anyways, i took a look in his homedir, and found three files. One executable "a.out", which displays "Jumping to address bfffe6c4 BufSize 4480" when running, a file named s.c, which contains what i believe to be the source of the "a.out" executable, and finally a file named x.pl. Looking at the processes that he had run, one was a ./gn command, which i could never locate, /bin/sh, bash, and those two BitchX sessions. What i did was first going in and disabling his and all accounts but my own on the box, closed telnet, because that's all he was using to come in, changed the root password, and in one press of the enter key, killed every process related to him on the box. Can anyone give me more information or has anyone dealt with this guy before? Thanks, Nick Morgowicz
Looks to me like a typical cracker. Somehow the guy/girl has got your friends password and logged onto the system. The .pl is a perl script which you could include snippets of, and that message you got from the a.out is obviously an attempt at a buffer overflow. Contact your friend and make sure his new password is strong, and ask him to keep it confidential. As for the host he was running BitchX for, this is a common practice on irc. People use vhosts to mask their ip, or to look "leet". My suggestion, audit your box, and audit your user's passwords. Also, could you provide some snippets of that .pl perl file? Just out of interest.
Current thread:
- Re: Port-scans from visited web-sites?, (continued)
- Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
- scan log Max Gribov (Jun 11)
- Re: scan log Jason Witty (Jun 12)
- FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
- Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
- Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
- port 12345 scanning Luke Dudney (Jun 11)
- Protocol 54 M J (Jun 07)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? John Hall (Jun 27)