[NTLUG:Discuss] crackers

[MadHat]

lee wrote:
> 
> first intrusion was around 9:00 in the a.m., a failed attempt to do
> some kind of NFS mount. couple of 30 minutes or so later were some
> kernel error messages and a bunch of gibberish
> (E^H^-(E^H^-(E^H^-(E^H^-(E^H^-( type stuff, so i knew something was

This would probably from them tryinbg to take advantage of a NFS
bufferoverflow exploit.  If you send it the right amount of 'data' in
the wrong place, it will crap out and give them access. (basically)

> up.  then at about 9:30pm or so, i noticed ROOT LOGIN from tailing
> the system logs, and it wasn't me.  after about 30-60 secs of sheer
> panic, i was about to %/sbin/ifdown eth0 but he was gone by then.
> guess i just shoulda reached up and unplugged the ethernet cable
> instead.
> 
> first two intrusions were from different ip addys from home.com
> somewheres up near buffalo ny and the last one came from
> jaguarsystems.com dialup service in jersey.
> 

I would sumise that they tested the box from their account, noticed they
could get in and used a dialup in someone elses name to actually get in.

Just a thought and this isn't that uncommon, be glad you caught it and
make sure to lock it down.

-- 
MadHat