Security Incidents mailing list archives

hacked @home with logs and info..

From: nmorgowicz () RALCOIND COM (nmorgowicz () RALCOIND COM)
Date: Wed, 7 Jun 2000 18:10:17 -0000


Hey all, this is my scenario.  I was logged in to my home 
box, running a modified version of Mandrake 7.0 when i 
noticed a friend on my box but coming from a box in japan.  
That sparked some interest, so i checked the last logins, 
and noticed that someone from a few more places had logged 
in as him as well.. Here's a paste of some of the 
information and ip's where he came from:

210.105.178.10
ns.nek.co.jp
modemcable056.1-201-24.sherb.mc.videotron.net
mail.almustaqbal.com.lb
cr215768-a.hnsn1.on.wave.home.com <-- used three times
www2.swan.me.ynu.ac.jp

What i also noticed, is that he had two BitchX clients 
running, with one connecting to port 1080 to 
cafemartin.com, but having it say:

Jun  6 17:24:14 localhost named[1002]: Lame server 
on 'cafemartin.com' (in 'cafemartin.com'?): 
[216.173.223.2].53 'SHIT-HAPPENS-AT.L7.NET'

I'm also logging identd messages, and have noticed root 
being resolved.

Jun  6 08:20:36 localhost oidentd[18927]: Connection from 
216.22.10.10:3806
Jun  6 08:20:36 localhost oidentd[18927]: [216.22.10.10] 
Successful lookup: 1235 , 6667 : root (root)

And no, i don't run irc as root. :)

In the logs, i've also found this, which i think is a bit 
unusual:

Jun  6 13:58:42 localhost named[1002]: bad iquery from 
127.0.0.1
Jun  6 13:59:30 localhost last message repeated 2 times
Jun  6 13:59:59 localhost named[1002]: bad iquery from 
127.0.0.1

Well anyways, i took a look in his homedir, and found three 
files.  One executable "a.out", which displays "Jumping to 
address bfffe6c4 BufSize 4480" when running, a file named 
s.c, which contains what i believe to be the source of 
the "a.out" executable, and finally a file named x.pl.  
Looking at the processes that he had run, one was a ./gn 
command, which i could never locate, /bin/sh, bash, and 
those two BitchX sessions.  

What i did was first going in and disabling his and all 
accounts but my own on the box, closed telnet, because 
that's all he was using to come in, changed the root 
password, and in one press of the enter key, killed every 
process related to him on the box.

Can anyone give me more information or has anyone dealt 
with this guy before?

Thanks,

Nick Morgowicz

Current thread:

Re: Port-scans from visited web-sites?, (continued)
- - - Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
    - Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
    - scan log Max Gribov (Jun 11)
    - Re: scan log Jason Witty (Jun 12)
    - FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
    - Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
    - Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
    - port 12345 scanning Luke Dudney (Jun 11)
    - Protocol 54 M J (Jun 07)
    - Re: very strange scan patterns Ejovi Nuwere (Jun 07)
    - hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
    - Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
    - UDP Port 2078 Dundo (Jun 08)
    - New KAK worm distribution out Roy Wilson (Jun 08)
    - Re: hacked @home with logs and info.. Randy Mclean (Jun 09)
  - port 65535 and protocol 171 !? Jürgen Bauer (Jun 05)
- Re: Microsoft version.binding us now? Tom Kee (Jun 03)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 22)
- Re: Microsoft version.binding us now? Oliver Friedrichs (Jun 23)
  - Re: Microsoft version.binding us now? Bill Marquette (Jun 24)
    - Re: Microsoft version.binding us now? John Hall (Jun 27)

(Thread continues...)