From owner-freebsd-hackers  Sun Jun 23 18:09:33 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id SAA08991
          for hackers-outgoing; Sun, 23 Jun 1996 18:09:33 -0700 (PDT)
Received: from dhp.com (dhp.com [199.245.105.1])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA08963;
          Sun, 23 Jun 1996 18:09:25 -0700 (PDT)
Received: (from jaeger@localhost) by dhp.com (8.7.5/8.6.12) id VAA07431; Sun, 23 Jun 1996 21:08:47 -0400
Date: Sun, 23 Jun 1996 21:08:46 -0400 (EDT)
From: jaeger <jaeger@com>
To: "Jordan K. Hubbard" <jkh@time.cdrom.com>
cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org
Subject: Re: I need help on this one - please help me track this guy down!
In-Reply-To: <7979.835575935@time.cdrom.com>
Message-ID: <Pine.LNX.3.91.960623204910.5399A-100000@dhp.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Sun, 23 Jun 1996, Jordan K. Hubbard wrote:

> jkh      p2  a235.pu.ru       Sun04PM     - -bash (bash)
> 
	Sure gets the heart pounding doesn't it?
> This was "me" on wcarchive.cdrom.com today - when I caught the guy I
> starred myself out of the password file and `watch -W'd' him.  He
> wasn't doing anything special, but when I sent him a "gotcha!"  he
> attempted to remove my home directory (nothing in it, no loss) and
> logged out.  That proves this guy to not only be a cracker but a
> malicious one at that and, were he to be caught and relieved of his
> testicles by the russian mafia, I would be the first to ask for them
> in a jar as a momento! :-)
> 
> I'm not one to generally get too upset about this kind of thing, but
> breaking into our flagship machine as me is going just a bit too far
> (as was trying to nuke my files when caught - I'd have forgiven him
> but for that, now I want his balls).

	Very amateurish, that.

	Contact the Russians on a secure channel (woo, sounds like a spy
novel). Sweep the machine for suid shells and changed binaries. You might
want to suspend some remote logins until you have this worked out.
	The process accounting logs, if you run that, may be illuminating.
Check your history file  (.bash_history in this case) and anything else he
may have left around (I'm somewhat unclear on whether your home directory
was actually removed).
	Even if you find no altered binaries or other evidence the intruder
had gained root access, I'd still fire up lsof and look for sniffers or
backdoor processes.  Use tcp wrappers to deny access from *.ru or all but
selected hosts.
	I'd say your chances of tracking this guy down are pretty slim
unless the Russian hosts weren't root compromised or they were running
enhanced logging or network monitors.
	Could this intrusion possibly have been a result of using cleartext
remote login sessions?

-jaeger