Security Incidents mailing list archives
Re: hacked @home with logs and info..
From: rmclean () NATDOOR COM (Randy Mclean)
Date: Fri, 9 Jun 2000 16:34:11 -0500
It could be anyone, but from my experience, Once they get into your computer they will put TON of backdoors using rootkit's and other stuff. I dought that just removing his account will be the end of it. My advice is to backup any NON-BINARY information like configuration file and do a complete reinstall of you system. Also once you get back up and running BLOCK all open ports you might have(I usually only leave 22 open for ssh). Hope this helps. At 06:10 PM 6/7/2000 +0000, you wrote:
Hey all, this is my scenario. I was logged in to my home box, running a modified version of Mandrake 7.0 when i noticed a friend on my box but coming from a box in japan. That sparked some interest, so i checked the last logins, and noticed that someone from a few more places had logged in as him as well.. Here's a paste of some of the information and ip's where he came from: 210.105.178.10 ns.nek.co.jp modemcable056.1-201-24.sherb.mc.videotron.net mail.almustaqbal.com.lb cr215768-a.hnsn1.on.wave.home.com <-- used three times www2.swan.me.ynu.ac.jp What i also noticed, is that he had two BitchX clients running, with one connecting to port 1080 to cafemartin.com, but having it say: Jun 6 17:24:14 localhost named[1002]: Lame server on 'cafemartin.com' (in 'cafemartin.com'?): [216.173.223.2].53 'SHIT-HAPPENS-AT.L7.NET' I'm also logging identd messages, and have noticed root being resolved. Jun 6 08:20:36 localhost oidentd[18927]: Connection from 216.22.10.10:3806 Jun 6 08:20:36 localhost oidentd[18927]: [216.22.10.10] Successful lookup: 1235 , 6667 : root (root) And no, i don't run irc as root. :) In the logs, i've also found this, which i think is a bit unusual: Jun 6 13:58:42 localhost named[1002]: bad iquery from 127.0.0.1 Jun 6 13:59:30 localhost last message repeated 2 times Jun 6 13:59:59 localhost named[1002]: bad iquery from 127.0.0.1 Well anyways, i took a look in his homedir, and found three files. One executable "a.out", which displays "Jumping to address bfffe6c4 BufSize 4480" when running, a file named s.c, which contains what i believe to be the source of the "a.out" executable, and finally a file named x.pl. Looking at the processes that he had run, one was a ./gn command, which i could never locate, /bin/sh, bash, and those two BitchX sessions. What i did was first going in and disabling his and all accounts but my own on the box, closed telnet, because that's all he was using to come in, changed the root password, and in one press of the enter key, killed every process related to him on the box. Can anyone give me more information or has anyone dealt with this guy before? Thanks, Nick Morgowicz
-- Randy Mclean Security/Network Administrator rmclean () natdoor com
Current thread:
- FW-1 log analysis tool, (continued)
- FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
- Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
- Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
- port 12345 scanning Luke Dudney (Jun 11)
- Protocol 54 M J (Jun 07)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
- port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
- Re: Microsoft version.binding us now? John Hall (Jun 27)