Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: hacked @home with logs and info..

Re: hacked @home with logs and info..

From: Randy Mclean <rmclean_at_NATDOOR.COM>
Date: Fri, 9 Jun 2000 16:34:11 -0500

It could be anyone, but from my experience, Once they get into your
computer they will put TON of backdoors using rootkit's and other stuff. I
dought that just removing his account will be the end of it. My advice is
to backup any NON-BINARY information like configuration file and do a
complete reinstall of you system. Also once you get back up and running
BLOCK all open ports you might have(I usually only leave 22 open for ssh).
Hope this helps.

At 06:10 PM 6/7/2000 +0000, you wrote:
>Hey all, this is my scenario. I was logged in to my home
>box, running a modified version of Mandrake 7.0 when i
>noticed a friend on my box but coming from a box in japan.
>That sparked some interest, so i checked the last logins,
>and noticed that someone from a few more places had logged
>in as him as well.. Here's a paste of some of the
>information and ip's where he came from:
>
>210.105.178.10
>ns.nek.co.jp
>modemcable056.1-201-24.sherb.mc.videotron.net
>mail.almustaqbal.com.lb
>cr215768-a.hnsn1.on.wave.home.com <-- used three times
>www2.swan.me.ynu.ac.jp
>
>What i also noticed, is that he had two BitchX clients
>running, with one connecting to port 1080 to
>cafemartin.com, but having it say:
>
>Jun 6 17:24:14 localhost named[1002]: Lame server
>on 'cafemartin.com' (in 'cafemartin.com'?):
>[216.173.223.2].53 'SHIT-HAPPENS-AT.L7.NET'
>
>I'm also logging identd messages, and have noticed root
>being resolved.
>
>Jun 6 08:20:36 localhost oidentd[18927]: Connection from
>216.22.10.10:3806
>Jun 6 08:20:36 localhost oidentd[18927]: [216.22.10.10]
>Successful lookup: 1235 , 6667 : root (root)
>
>And no, i don't run irc as root. :)
>
>In the logs, i've also found this, which i think is a bit
>unusual:
>
>Jun 6 13:58:42 localhost named[1002]: bad iquery from
>127.0.0.1
>Jun 6 13:59:30 localhost last message repeated 2 times
>Jun 6 13:59:59 localhost named[1002]: bad iquery from
>127.0.0.1
>
>Well anyways, i took a look in his homedir, and found three
>files. One executable "a.out", which displays "Jumping to
>address bfffe6c4 BufSize 4480" when running, a file named
>s.c, which contains what i believe to be the source of
>the "a.out" executable, and finally a file named x.pl.
>Looking at the processes that he had run, one was a ./gn
>command, which i could never locate, /bin/sh, bash, and
>those two BitchX sessions.
>
>What i did was first going in and disabling his and all
>accounts but my own on the box, closed telnet, because
>that's all he was using to come in, changed the root
>password, and in one press of the enter key, killed every
>process related to him on the box.
>
>Can anyone give me more information or has anyone dealt
>with this guy before?
>
>Thanks,
>
>Nick Morgowicz 

--
Randy Mclean
Security/Network Administrator
rmclean_at_natdoor.com
Received on Jun 10 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos