LordMorlock
01-04-2001, 06:10 PM
Hiya all,
My message today is an enquiry and a warning.
I have Red Hat Linux 6.2 Installed on my server and everything has been going fine. I noticed a week or two ago that the command "ps -lA" didn't work anymore. I had just installed a fair few packages (compiling not rpm http://discussions.linuxplanet.com/smile.gif ) so I figured one of those had wiped over it with an earlier version (I did a --version and got procps version 1.01 instead of 2.0.6). I noticed last night however, while reading the messages log, that someone had logged in under a name that I hadn't added! Upon further inspection I found that several files had been replaced and that passwords had been changed, and users added.
To my knowledge, nothing has been deleted, except for some backed up messages logs.
***** WARNING: For anyone like me, check those logs regularly as I hadn't for ages and therefore didn't pick up on these errors. Also watch for programs like "linsniffer" which was running on my server. This is used to monitor all network traffic and log it. In this log you will find usernames, passwords etc. VERY BAD.
***** QUESTION: I would like to know how they got in exactly. The logs say:
server rpc.statd[364]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿ ... bffff719~P~P~P~P~P~P~P~P~P~P~P~P~P~P ...
server adduser[17288]: new user: name=cgi, uid=0, gid=0, ... etc.
Now, I presume this is where they created the user, however, how did they get in, in the first place???
Also, they were running sshdu on an obsure port, what is sshdu and how were they using this to get in ... eg. Telnet?
Any help or info would be appreciated.
***** SCRIPT KIDDIES: The reason I refer to this attacker as a script kiddie and not a hacker is, I beleave if you are a hacker, you are good, and this person left LOTS of traces around and had I been better and not slacking off, I would have picked them up immediatly!
[This message has been edited by LordMorlock (edited 01-04-2001).]
My message today is an enquiry and a warning.
I have Red Hat Linux 6.2 Installed on my server and everything has been going fine. I noticed a week or two ago that the command "ps -lA" didn't work anymore. I had just installed a fair few packages (compiling not rpm http://discussions.linuxplanet.com/smile.gif ) so I figured one of those had wiped over it with an earlier version (I did a --version and got procps version 1.01 instead of 2.0.6). I noticed last night however, while reading the messages log, that someone had logged in under a name that I hadn't added! Upon further inspection I found that several files had been replaced and that passwords had been changed, and users added.
To my knowledge, nothing has been deleted, except for some backed up messages logs.
***** WARNING: For anyone like me, check those logs regularly as I hadn't for ages and therefore didn't pick up on these errors. Also watch for programs like "linsniffer" which was running on my server. This is used to monitor all network traffic and log it. In this log you will find usernames, passwords etc. VERY BAD.
***** QUESTION: I would like to know how they got in exactly. The logs say:
server rpc.statd[364]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^X÷ÿ¿^Z÷ÿ¿ ... bffff719~P~P~P~P~P~P~P~P~P~P~P~P~P~P ...
server adduser[17288]: new user: name=cgi, uid=0, gid=0, ... etc.
Now, I presume this is where they created the user, however, how did they get in, in the first place???
Also, they were running sshdu on an obsure port, what is sshdu and how were they using this to get in ... eg. Telnet?
Any help or info would be appreciated.
***** SCRIPT KIDDIES: The reason I refer to this attacker as a script kiddie and not a hacker is, I beleave if you are a hacker, you are good, and this person left LOTS of traces around and had I been better and not slacking off, I would have picked them up immediatly!
[This message has been edited by LordMorlock (edited 01-04-2001).]