Re: hacked @home with logs and info..

[shadoze () FREEWWWEB COM (Shadow Boxer)]

nmorgowicz () RALCOIND COM wrote:

> Hey all, this is my scenario.  I was logged in to my home
> box, running a modified version of Mandrake 7.0 when i
> noticed a friend on my box but coming from a box in japan.
> That sparked some interest, so i checked the last logins,
> and noticed that someone from a few more places had logged
> in as him as well.. Here's a paste of some of the
> information and ip's where he came from:
>
> 210.105.178.10
> ns.nek.co.jp
> modemcable056.1-201-24.sherb.mc.videotron.net
> mail.almustaqbal.com.lb
> cr215768-a.hnsn1.on.wave.home.com <-- used three times
> www2.swan.me.ynu.ac.jp
>
> What i also noticed, is that he had two BitchX clients
> running, with one connecting to port 1080 to
> cafemartin.com, but having it say:
>
> Jun  6 17:24:14 localhost named[1002]: Lame server
> on 'cafemartin.com' (in 'cafemartin.com'?):
> [216.173.223.2].53 'SHIT-HAPPENS-AT.L7.NET'
>
> I'm also logging identd messages, and have noticed root
> being resolved.
>
> Jun  6 08:20:36 localhost oidentd[18927]: Connection from
> 216.22.10.10:3806
> Jun  6 08:20:36 localhost oidentd[18927]: [216.22.10.10]
> Successful lookup: 1235 , 6667 : root (root)
>
> And no, i don't run irc as root. :)
>
> In the logs, i've also found this, which i think is a bit
> unusual:
>
> Jun  6 13:58:42 localhost named[1002]: bad iquery from
> 127.0.0.1
> Jun  6 13:59:30 localhost last message repeated 2 times
> Jun  6 13:59:59 localhost named[1002]: bad iquery from
> 127.0.0.1
>
> Well anyways, i took a look in his homedir, and found three
> files.  One executable "a.out", which displays "Jumping to
> address bfffe6c4 BufSize 4480" when running, a file named
> s.c, which contains what i believe to be the source of
> the "a.out" executable, and finally a file named x.pl.
> Looking at the processes that he had run, one was a ./gn
> command, which i could never locate, /bin/sh, bash, and
> those two BitchX sessions.
>
> What i did was first going in and disabling his and all
> accounts but my own on the box, closed telnet, because
> that's all he was using to come in, changed the root
> password, and in one press of the enter key, killed every
> process related to him on the box.
>
> Can anyone give me more information or has anyone dealt
> with this guy before?
>
> Thanks,
>
> Nick Morgowicz

Looks to me like a typical cracker.  Somehow the guy/girl has got your
friends password and logged onto the system.  The .pl is a perl script
which you could include snippets of, and that message you got from the
a.out is obviously an attempt at a buffer overflow.  Contact your friend
and make sure his new password is strong, and ask him to keep it
confidential.  As for the host he was running BitchX for, this is a
common practice on irc.  People use vhosts to mask their ip, or to look
"leet".  My suggestion, audit your box, and audit your user's
passwords.  Also, could you provide some snippets of that .pl perl
file?  Just out of interest.