Re: Severe exploit found, all UNIX are affected!

[Gaurang Pandya <gaubrig () yahoo com>]

man cron
man periodic

Gaurang.
--- "Billy B. Bilano"
<mr.bill.bilano () email server unix bill bilano biz>
wrote:

> Dudes,
>
> Bad news today. Oh my goodness! I am in a tizzy-fit
> over this! I am such 
> an expert at system administrating but even the best
> of us fall from 
> glory now and then. And let me tell you, this is one
> time I believe 
> somebody got the best of me... and that somebody is
> a fellow named Charles!
>
> It all started when my big OpenBSD box took a dumper
> and I got paged. So 
> I get into the bank and start to look around and I
> poke and prod the box 
> and then I log into it and run the appropriate debug
> tools (ls, ps, top, 
> cut, etc. -- pun not intended). I notice, at long
> last, that the console 
> messages were not lying... the hard drive was indeed
> full! (you can 
> never be too sure about that sort of thing as
> everybody will agree)
>
> The offending file was the previous administrator
> (Stan, who got fired 
> when I became IT director because he was a puss and
> always joked about 
> beer and had a picture of some baby looking at teats
> saying "lunch" on 
> his cube wall -- that offended me as a larger man).
> So his old 
> administrator account has a huge mail spoolball that
> is taking up 80% of 
> the drive! Holy crappers! So I logged in as "stan"
> and used his password 
> he gave me in exchange for his severance package. I
> typed "mail" hoping 
> to see if this would let me view his mail and it did
> -- thankgod! What I 
> saw scared the holy mole dickens out of me...
>
> Thousands of emails! As I started reading them, I
> realized the full 
> extent of what is, without a doubt, going to become
> known as the biggest 
> and most notorious hack in the history of the
> Internet!
>
> Northcutt better take out that section about the
> Mitnik attack in that 
> terrible book he is always rehasing with only a
> spit-shine and fancy new 
> cover because here comes something leaner and
> meaner! (I have re-bought 
> that nut's book eight times and it is always the
> same old cruft over and 
> over but there wont be a ninth purchase, you bet
> your pink pajamas!) 
> Someone needs to tell him that SANS is not the MANS!
> LOL!
>
> This is BIG, folks! The mails... there were big ones
> and small ones and 
> they all had one thing in common: they were from a
> person who would soon 
> be determined to be a master hacker who has
> obviously infiltrated the 
> bank's system long ago, before I even canned Stan
> (he was such a chump 
> and always lost his wallet because he wore those
> baggy hacker pants).
>
> It seems that this black head hacker, named Charlie
> Root, has been busy 
> alright... Every night, like clockwork, he sends me
> a few emails that 
> contain the most intimate of details about the
> server! Drive space, 
> logins, users I've created and removed, and more! I
> think he is trying 
> to extort money from the bank!
>
> I was scared to hell to raise any red alarms at the
> bank so I started to 
> look around and I believe I found out who this
> Charlie Root person 
> really is:
http://www.baseballlibrary.com/baseballlibrary/ballplayers/R/Root_Charlie.stm
> It seems that old Chinski used to play baseball for
> the Brown Cubs back 
> in his youth. Clearly, from reading about his shoddy
> career, he was 
> washed up as his stats are terrible by modern
> standards and he retired 
> from the game in 1970! Now, as is abundantly clear,
> he has reached a 
> desperate point in his life and is now devoting his
> time to taking over 
> the world's infrastructure and trying to do phishy
> things and extort 
> money from gallant administrators like myself.
>
> I looked into the front directory on my server and
> saw a folder called 
> "root"! OMGF! I dove into his folder and saw all
> kinds of hacker files 
> (like some thinger called ".bash_history" which
> seems to contain a list 
> of commands he uses to take over the system, and
> ".forward" which 
> contains Stan's email address). There were also
> tarballers for other 
> things that look like old log backups! Incredible! I
> tried to delete 
> some of these trojan files but it said I could not!
> I did some more 
> looking around and found another startling fact:
> Charlie Root has 
> changed my shell! It is not sh like it should be, it
> has been set to 
> "stsh" which it certainly some kind of backdoor
> hacker tool to capture 
> my strokes!
>
> Normally I would just reboot the server but this
> time, since I was at 
> lunch, I decided to play around with my EMACKS
> script on my new Sun 
> 6800's and, by chance, I saw that almost every file
> on the system was 
> already owned by the "root" fellow! He has the guile
> to call himself 
> "Super-User!" when I fingered (LOL) his account! We
> have only had these 
> systems for a little over a month and this Charlie
> Root has already 
> taken over every UNIX server in the bank!
>
> This may be the end of our company if I cannot get
> this hacker out of 
> our systems and expunge the network of this wretched
> "root" Chinski 
> thing. I will not bow to his extortion attempts!
>
> Someone please tell me what I should do next!
>
> P.S. My bloglog has more background info and stuff
> about Chinski's 
> involvement in Y2000K... <http://www.bilano.biz/>
>
> -- 
> Mr. Billy B. Bilano, MSCE, CCNA
> <http://www.bilano.biz/>
> Expert Sysadmin Since 2003!
> 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html



                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html