[NTLUG:Discuss] crack autopsy

lee lee at brave.com
Thu Aug 26 22:17:38 CDT 1999 

i'm no computer expert.  i've never taken a computer class beyond programming a
bubble sort in basic.  i think i might could write a small, 3-line shell script
maybe if it were to save my life.  learning linux is fun, everything i've
learned has been from reading a few published books, following slashdot.org, and
reading this list.

so i thought i'd get me one of them there (somewhat) permanentIP addresses and
host a domain.  what fun!  untill yesterday...

<log excerpt>
Aug 25 09:10:16 foobar mountd[335]: Unauthorized access by NFS client
24.112.134.253.
Aug 25 09:10:16 foobar syslogd: Cannot glue message parts together 
Aug 25 09:10:16 foobar mountd[335]: Blocked attempt of 24.112.134.253 to mount ^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^
P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
Aug 25 09:10:16 foobar
^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E

<end excerpt>
the ip address resolves to a home.com host.  i'm confident there was a 2nd IP
address involved, but i don't have a record of it.  perhaps it was reflected in
the /var/log/secure file.  i did traceroute on both and they were home.com
hosts, but different hosts nonetheless.  i put the .home.com domain and the two
IP addresses in the /etc/hosts.deny file.

later that evening around 10:00pm, my log files were deleted.

the ip addresses of the first cracks and the second crack were very different. 
the 2nd crack IP was from 209.66.33.97 which resolves to jaguarsystems.com.

i was only alerted to the intrusion when tail -f /var/log/secure said ROOT
LOGIN.  i wish i had a copy of that session somewhere.

examination of /etc/passwd file revealed:

<excerpt with comments>
# next line was my password left in the clear
mypassword
502
502
Red Hat Linux User,,,,
/home/?
/bin/bash
moof::0:0::/:/bin/bash

<end excerpt>

obviously, the file had been compromised somehwere along the way.  note the last
entry of the file.  i certainly didn't put *that* entry there.  all one had to
do was type "moof" at login, and you were root, no password or anything!  i
can't tell you if it was my user password or the root password left in the clear
in the file, because they both were the same (d'oh!).  well, they're different
now.

"moof" was logged in when my log files were zapped.  and then i found this
.bash_history file in the root directory:

<begin file>
/sbin/telinit q
ps axf
init q
/sbin/init q
man init
/sbin/init 3
ps ax
ps axf
killall gpm
killall xfstt
ps ax
/sbin/telinit 3
who
/sbin/who
who
echo $PATH
telinit 3
telinit u
telinit q
telinit 3
w
ls -l
who
ps uxa
cat /etc/passwd
cat /etc/passwd
exit
w
rm -rf /var/log/
killall tail
rm -rf /var/log/
rm -rf /var/log/
rm -rf /var/adm
ls /var
exit

<EOF>

i've since blocked everything except for my work domain from any inetd services.

before i turn that eth0 back on i'm going to figure out the shadow password
stuff first.

i do have a question though... i don't think i need to reinstall everything, but
are there any other files/configurations stuff that i should look at to see if
it's been compromised?  thanks,

-- lee

-- lee

More information about the Discuss mailing list