mailing list archives
Severe exploit found, all UNIX are affected!
From: "Billy B. Bilano" <mr.bill.bilano () email server unix bill bilano biz>
Date: Thu, 16 Sep 2004 14:54:39 -0500
Bad news today. Oh my goodness! I am in a tizzy-fit over this! I am such
an expert at system administrating but even the best of us fall from
glory now and then. And let me tell you, this is one time I believe
somebody got the best of me... and that somebody is a fellow named Charles!
It all started when my big OpenBSD box took a dumper and I got paged. So
I get into the bank and start to look around and I poke and prod the box
and then I log into it and run the appropriate debug tools (ls, ps, top,
cut, etc. -- pun not intended). I notice, at long last, that the console
messages were not lying... the hard drive was indeed full! (you can
never be too sure about that sort of thing as everybody will agree)
The offending file was the previous administrator (Stan, who got fired
when I became IT director because he was a puss and always joked about
beer and had a picture of some baby looking at teats saying "lunch" on
his cube wall -- that offended me as a larger man). So his old
administrator account has a huge mail spoolball that is taking up 80% of
the drive! Holy crappers! So I logged in as "stan" and used his password
he gave me in exchange for his severance package. I typed "mail" hoping
to see if this would let me view his mail and it did -- thankgod! What I
saw scared the holy mole dickens out of me...
Thousands of emails! As I started reading them, I realized the full
extent of what is, without a doubt, going to become known as the biggest
and most notorious hack in the history of the Internet!
Northcutt better take out that section about the Mitnik attack in that
terrible book he is always rehasing with only a spit-shine and fancy new
cover because here comes something leaner and meaner! (I have re-bought
that nut's book eight times and it is always the same old cruft over and
over but there wont be a ninth purchase, you bet your pink pajamas!)
Someone needs to tell him that SANS is not the MANS! LOL!
This is BIG, folks! The mails... there were big ones and small ones and
they all had one thing in common: they were from a person who would soon
be determined to be a master hacker who has obviously infiltrated the
bank's system long ago, before I even canned Stan (he was such a chump
and always lost his wallet because he wore those baggy hacker pants).
It seems that this black head hacker, named Charlie Root, has been busy
alright... Every night, like clockwork, he sends me a few emails that
contain the most intimate of details about the server! Drive space,
logins, users I've created and removed, and more! I think he is trying
to extort money from the bank!
I was scared to hell to raise any red alarms at the bank so I started to
look around and I believe I found out who this Charlie Root person
It seems that old Chinski used to play baseball for the Brown Cubs back
in his youth. Clearly, from reading about his shoddy career, he was
washed up as his stats are terrible by modern standards and he retired
from the game in 1970! Now, as is abundantly clear, he has reached a
desperate point in his life and is now devoting his time to taking over
the world's infrastructure and trying to do phishy things and extort
money from gallant administrators like myself.
I looked into the front directory on my server and saw a folder called
"root"! OMGF! I dove into his folder and saw all kinds of hacker files
(like some thinger called ".bash_history" which seems to contain a list
of commands he uses to take over the system, and ".forward" which
contains Stan's email address). There were also tarballers for other
things that look like old log backups! Incredible! I tried to delete
some of these trojan files but it said I could not! I did some more
looking around and found another startling fact: Charlie Root has
changed my shell! It is not sh like it should be, it has been set to
"stsh" which it certainly some kind of backdoor hacker tool to capture
Normally I would just reboot the server but this time, since I was at
lunch, I decided to play around with my EMACKS script on my new Sun
6800's and, by chance, I saw that almost every file on the system was
already owned by the "root" fellow! He has the guile to call himself
"Super-User!" when I fingered (LOL) his account! We have only had these
systems for a little over a month and this Charlie Root has already
taken over every UNIX server in the bank!
This may be the end of our company if I cannot get this hacker out of
our systems and expunge the network of this wretched "root" Chinski
thing. I will not bow to his extortion attempts!
Someone please tell me what I should do next!
P.S. My bloglog has more background info and stuff about Chinski's
involvement in Y2000K... <http://www.bilano.biz/>
Mr. Billy B. Bilano, MSCE, CCNA
Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS
Full-Disclosure - We believe in it.
- Severe exploit found, all UNIX are affected! Billy B. Bilano (Sep 16)