Security Incidents mailing list archives

Re: hacked @home with logs and info..

From: rmclean () NATDOOR COM (Randy Mclean)
Date: Fri, 9 Jun 2000 16:34:11 -0500


It could be anyone, but from my experience,  Once they get into your
computer they will put TON of backdoors using rootkit's and other stuff. I
dought that just removing his account will be the end of it. My advice is
to backup any NON-BINARY information like configuration file and do a
complete reinstall of you system. Also once you get back up and running
BLOCK all open ports you might have(I usually only leave 22 open for ssh).
Hope this helps.

At 06:10 PM 6/7/2000 +0000, you wrote:

Hey all, this is my scenario.  I was logged in to my home
box, running a modified version of Mandrake 7.0 when i
noticed a friend on my box but coming from a box in japan.
That sparked some interest, so i checked the last logins,
and noticed that someone from a few more places had logged
in as him as well.. Here's a paste of some of the
information and ip's where he came from:

210.105.178.10
ns.nek.co.jp
modemcable056.1-201-24.sherb.mc.videotron.net
mail.almustaqbal.com.lb
cr215768-a.hnsn1.on.wave.home.com <-- used three times
www2.swan.me.ynu.ac.jp

What i also noticed, is that he had two BitchX clients
running, with one connecting to port 1080 to
cafemartin.com, but having it say:

Jun  6 17:24:14 localhost named[1002]: Lame server
on 'cafemartin.com' (in 'cafemartin.com'?):
[216.173.223.2].53 'SHIT-HAPPENS-AT.L7.NET'

I'm also logging identd messages, and have noticed root
being resolved.

Jun  6 08:20:36 localhost oidentd[18927]: Connection from
216.22.10.10:3806
Jun  6 08:20:36 localhost oidentd[18927]: [216.22.10.10]
Successful lookup: 1235 , 6667 : root (root)

And no, i don't run irc as root. :)

In the logs, i've also found this, which i think is a bit
unusual:

Jun  6 13:58:42 localhost named[1002]: bad iquery from
127.0.0.1
Jun  6 13:59:30 localhost last message repeated 2 times
Jun  6 13:59:59 localhost named[1002]: bad iquery from
127.0.0.1

Well anyways, i took a look in his homedir, and found three
files.  One executable "a.out", which displays "Jumping to
address bfffe6c4 BufSize 4480" when running, a file named
s.c, which contains what i believe to be the source of
the "a.out" executable, and finally a file named x.pl.
Looking at the processes that he had run, one was a ./gn
command, which i could never locate, /bin/sh, bash, and
those two BitchX sessions.

What i did was first going in and disabling his and all
accounts but my own on the box, closed telnet, because
that's all he was using to come in, changed the root
password, and in one press of the enter key, killed every
process related to him on the box.

Can anyone give me more information or has anyone dealt
with this guy before?

Thanks,

Nick Morgowicz


--
Randy Mclean
Security/Network Administrator
rmclean () natdoor com

Current thread:

FW-1 log analysis tool, (continued)
- - - FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
    - Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
    - Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
    - port 12345 scanning Luke Dudney (Jun 11)
    - Protocol 54 M J (Jun 07)
    - Re: very strange scan patterns Ejovi Nuwere (Jun 07)
    - hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
    - Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
    - UDP Port 2078 Dundo (Jun 08)
    - New KAK worm distribution out Roy Wilson (Jun 08)
    - Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
  - port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 22)
- Re: Microsoft version.binding us now? Oliver Friedrichs (Jun 23)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
    - Re: Microsoft version.binding us now? John Hall (Jun 27)
- Re: Microsoft version.binding us now? Rune Kristian Viken (Jun 28)