[40844] in North American Network Operators' Group
resolved Re: should i publish a list of cracked machines?
daemon@ATHENA.MIT.EDU (Jim Mercer)
Thu Aug 23 12:36:47 2001
Date: Thu, 23 Aug 2001 12:39:21 -0400
From: Jim Mercer <jim@reptiles.org>
To: nanog@merit.edu
Message-ID: <20010823123921.D10630@reptiles.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.1.0.14.2.20010823085959.02a29ca8@pop3.norton.antivirus>; from mike@trest.com on Thu, Aug 23, 2001 at 09:02:12AM -0700
Errors-To: owner-nanog-outgoing@merit.edu
ok, having seen numerous comments (and numerous requests for the file), i
have decided to punt the list to cert.org and let them deal with it.
- as much as i'd like to, i don't have the time/energy to run through
the list and contact each netadmin. i've walked that trail before
while attempting to nip a few DoS attacks.
- i will not send the list to anyone other than cert, unless suggestions
can be made for other "authorative" groups who will maybe pick up
the task of contacting the netadmins in the list
my suspicions and some things to look for:
- boxes were comprimised using the buffer overflow in telnetd (speculation)
- my box had a bogus /usr/sbin/nscd (which is not a normal FreeBSD binary)
- nscd appears to be a hacked sshd, listening on a 14000 series port
- it had its own /etc/ssh_* config files (FreeBSD puts them in /etc/ssh/ssh_*)
- there was a file in /dev/ptaz which appeared to be DES crypto gunge
- there were a bunch of irc/eggdrop related files in a ".e" directory of
one of the user's $HOME
suggestions for looking about:
- do an ls -lta in bindirs, my systems generally have all /bin /usr/bin files
with the same timestamp
- do a "du /dev" and look for anomalies
- do a "cd /dev ; ls -l | grep -e-" and look for anomalies
- do a "ls -ltra /" (as well as /usr and /usr/local) and look for anomalies
--
[ Jim Mercer jim@reptiles.org +1 416 410-5633 ]
[ Now with more and longer words for your reading enjoyment. ]
