Security Incidents mailing list archives
two machines hack through rpc.statd
From: Vegard Svanberg <vegard () SVANBERG NO>
Date: Wed, 7 Mar 2001 14:47:16 +0100
Hi. I admin two servers who was recently hacked. They were just installed with RH7 and really not important (and not in production) so there was no big deal. However, that is not an excuse for hacking them, so I'd like to report this guy to his local police so they could lock him up in jail where he belongs. I'd also like to get in touch with other people who've had similar breakins from this guy. This is _some_ of the info I have on what he did: 1. Exploited rpc.statd 2. Fetched a package (secure.tar.gz) containing some scripts to clear the logs and a couple of RPMs to fix a couple of security holes. 3. Patched rpc.statd. 4. Configured inetd to run /bin/sh at port 666. He firewalled the port. 5. Ran a script ("g.sh" also known as "gh0st.sh") to wipe the logs. He added user "r3wt" and "gid" to /etc/passwd and /etc/shadow with uid 0 and no password. He also added an account "Vogz" which I believe is his nickname. Here's the hostnames/IP addresses he came from: Vogz[9590]: LOGIN ON pts/2 BY Vogz FROM cx589008-a.vista1.sdca.home.com xinetd[8755]: START: reg pid=9614 from=63.198.203.190 In addition, I am wondering how I should handle this further, and IF I should.. I am currently located in Europe while he is probably in the US or something, hacking from a rooted *DSL-machine.. Any tips and recommendations is appreciated. Regards, -- Vegard Svanberg <vegard () svanberg no>
Current thread:
- two machines hack through rpc.statd Vegard Svanberg (Mar 07)
- Re: two machines hack through rpc.statd Ryan Russell (Mar 07)
- Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- Re: two machines hack through rpc.statd Vegard Svanberg (Mar 08)
- <Possible follow-ups>
- Re: two machines hack through rpc.statd Timothy Lyons (Mar 07)
- Re: two machines hack through rpc.statd Justin Shore (Mar 07)
- Re: two machines hack through rpc.statd Ryan Russell (Mar 07)