Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: hacked @home with logs and info..

hacked @home with logs and info..

From: <nmorgowicz_at_RALCOIND.COM>
Date: Wed, 7 Jun 2000 18:10:17 -0000

Hey all, this is my scenario. I was logged in to my home
box, running a modified version of Mandrake 7.0 when i
noticed a friend on my box but coming from a box in japan.
That sparked some interest, so i checked the last logins,
and noticed that someone from a few more places had logged
in as him as well.. Here's a paste of some of the
information and ip's where he came from:

210.105.178.10
ns.nek.co.jp
modemcable056.1-201-24.sherb.mc.videotron.net
mail.almustaqbal.com.lb
cr215768-a.hnsn1.on.wave.home.com <-- used three times
www2.swan.me.ynu.ac.jp

What i also noticed, is that he had two BitchX clients
running, with one connecting to port 1080 to
cafemartin.com, but having it say:

Jun 6 17:24:14 localhost named[1002]: Lame server
on 'cafemartin.com' (in 'cafemartin.com'?):
[216.173.223.2].53 'SHIT-HAPPENS-AT.L7.NET'

I'm also logging identd messages, and have noticed root
being resolved.

Jun 6 08:20:36 localhost oidentd[18927]: Connection from
216.22.10.10:3806
Jun 6 08:20:36 localhost oidentd[18927]: [216.22.10.10]
Successful lookup: 1235 , 6667 : root (root)

And no, i don't run irc as root. :)

In the logs, i've also found this, which i think is a bit
unusual:

Jun 6 13:58:42 localhost named[1002]: bad iquery from
127.0.0.1
Jun 6 13:59:30 localhost last message repeated 2 times
Jun 6 13:59:59 localhost named[1002]: bad iquery from
127.0.0.1

Well anyways, i took a look in his homedir, and found three
files. One executable "a.out", which displays "Jumping to
address bfffe6c4 BufSize 4480" when running, a file named
s.c, which contains what i believe to be the source of
the "a.out" executable, and finally a file named x.pl.
Looking at the processes that he had run, one was a ./gn
command, which i could never locate, /bin/sh, bash, and
those two BitchX sessions.

What i did was first going in and disabling his and all
accounts but my own on the box, closed telnet, because
that's all he was using to come in, changed the root
password, and in one press of the enter key, killed every
process related to him on the box.

Can anyone give me more information or has anyone dealt
with this guy before?

Thanks,

Nick Morgowicz
Received on Jun 08 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos