[100468] in RedHat Linux List
Hacked! :(
daemon@ATHENA.MIT.EDU (David E. Fox)
Fri Nov 20 18:32:07 1998
From: "David E. Fox" <dfox@belvdere.vip.best.com>
To: redhat-list@redhat.com
Date: Fri, 20 Nov 1998 15:16:45 -0800 (PST)
Cc: postmaster@mech.ubc.ca, abuse@mech.ubc.ca, postmaster@ubc.ca,
postmaster@csun.edu, abuse@csun.edu
Reply-To: dfox@belvdere.vip.best.com
Resent-From: redhat-list@redhat.com
Well, I never thought it might happen to me, but apparently over
the last few days my system was broken into by a user in
Canada, and also apparently from a user at csun.edu. I am also
copying this to the abuse administrators at csun.edu and at
mech.ubc.ca.
I have syslog entries to prove it, and a ps listing that I noticed
just a few minutes ago -- thank god I was running 'top'; otherwise
I might not have noticed it... but there it was, a user r0x running
a 'vi rootkit.h' command... I immediately killed the net
connection and went digging.
find / -name rootkit.h only reveals one rootkit.h file, in the
linux source directory (Specifically: /usr/src/linux-2.0.35/arch/
ppc/boot/compressed/.o/rootkit.h).
But that's a very strange place to hide a rootkit, and it is there
plainly for me to see.... everything is there that one would
expect to be in a hacking kit.
Relevant logs show the following:
Nov 19 00:20:01 belvdere pam_rhosts_auth[596]: denied to roxana@serendip.mech.ubc.ca as anti: access not allowed
Nov 19 00:20:03 belvdere PAM_pwdb[602]: (login) session opened for user anti by (uid=0)
Nov 19 00:20:04 belvdere login[602]: LOGIN ON ttyp2 BY anti FROM serendip.mech.ubc.ca
Nov 19 00:20:10 belvdere PAM_pwdb[610]: (su) session opened for user r0x by anti(uid=0)
Nov 19 00:22:20 belvdere identd[623]: from: 204.244.142.155 ( hope2a28.dial.uniserve.ca ) for: 1049, 21
Nov 19 00:25:14 belvdere pam_rhosts_auth[643]: denied to root@localhost as http: access not allowed
Nov 19 00:25:15 belvdere PAM_pwdb[645]: (login) session opened for user http by (uid=0)
Nov 19 00:25:15 belvdere login[645]: LOGIN ON ttyp3 BY http FROM localhost
Nov 19 00:25:20 belvdere PAM_pwdb[653]: (su) session opened for user www by http(uid=0)
Nov 19 00:25:38 belvdere PAM_pwdb[653]: (su) session closed for user www
Nov 19 00:25:41 belvdere PAM_pwdb[645]: (login) session closed for user http
Nov 19 00:28:16 belvdere identd[672]: from: 204.244.142.155 ( hope2a28.dial.uniserve.ca ) for: 1052, 21
Nov 19 01:01:02 belvdere PAM_pwdb[1624]: (su) session opened for user news by (uid=9)
Nov 19 01:01:14 belvdere PAM_pwdb[1624]: (su) session closed for user news
Nov 19 01:01:34 belvdere PAM_pwdb[610]: (su) session closed for user r0x
Nov 19 01:01:36 belvdere PAM_pwdb[602]: (login) session closed for user anti
Nov 20 14:36:17 belvdere dip[7595]: root dial-up 204.156.152.2/204.156.152.2 to remote 204.156.128.1/204.156.128.1 with CSLIP/296
Nov 20 14:39:25 belvdere pam_rhosts_auth[7626]: denied to root@s057n110.csun.edu as anti: access not allowed
Nov 20 14:39:26 belvdere PAM_pwdb[7627]: (login) session opened for user anti by (uid=0)
Nov 20 14:39:26 belvdere login[7627]: LOGIN ON ttyp2 BY anti FROM s057n110.csun.edu
Nov 20 14:39:29 belvdere PAM_pwdb[7635]: (su) session opened for user r0x by anti(uid=0)
Nov 20 14:39:46 belvdere identd[7646]: from: 128.3.7.48 ( mh1.lbl.gov ) for: 10257, 25
Nov 20 14:40:20 belvdere identd[7654]: from: 204.244.142.134 ( hope2a7.dial.uniserve.ca ) for: 10258, 21
Nov 20 14:46:26 belvdere dip[7595]: >>> DETACH "/sbin/ifconfig sl0 down"
Nov 20 14:46:26 belvdere dip[7595]: root down CSLIP link to remote 204.156.128.1/204.156.128.1
Nov 20 14:46:27 belvdere dip[7595]: Total online:609s in:0 bytes 0 pkts; out:0 bytes 0 pkts
Nov 20 14:46:30 belvdere dip[7595]: DIP: Probably line disconnected!
Nov 20 14:46:30 belvdere dip[7595]: DIP: tty_puts: failed to write to tty (Input/output error)...
Nov 20 14:46:33 belvdere dip[7595]: DIP: Probably line disconnected!
Nov 20 14:46:33 belvdere dip[7595]: DIP: tty_puts: failed to write to tty (Input/output error)...
warning: `-' deprecated; use `ps ax', not `ps -ax'
PID TTY STAT TIME COMMAND
7626 ? S 0:00 in.rlogind
7635 p2 S 0:00 su r0x
7636 p2 S 0:00 bash
7664 p2 S 0:00 vi rootkit.h
7627 p2 S 0:00 login -p -h s057n110.csun.edu -f anti
root tty1 Nov 19 00:00
dfox tty2 Nov 19 12:04
dfox tty3 Nov 19 15:16
dfox tty4 Nov 20 14:56
dfox ttyp0 Nov 19 14:29 (:0.0)
anti ttyp2 Nov 20 14:39 (s057n110.csun.edu) <-- the perp
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com http://archive.redhat.com
To unsubscribe: mail redhat-list-request@redhat.com with
"unsubscribe" as the Subject.
