[1754] in SIPB_Linux_Development
breakin report - sniffer running in 18.242.*
daemon@ATHENA.MIT.EDU (Edwin Foo)
Mon Aug 18 14:26:11 1997
From: Edwin Foo <efoo@MIT.EDU>
To: net-security@MIT.EDU
Cc: stopit@MIT.EDU, linux-dev@MIT.EDU, efoo@MIT.EDU, kvlee@MIT.EDU,
goblin@MIT.EDU, fubob@MIT.EDU, bdrosen@MIT.EDU
Date: Mon, 18 Aug 1997 14:25:56 -0400
Between 12-1am Sunday morning ( 8/17 ), a PPP dialup from NYC (escape.com:
205.160.47.*) logged into raptor.mit.edu with the username chenghan, and
his legit kerberos password (we don't know how chenghan's password was
compromised. Maybe escape.com was sniffed?). The intruder then exploited
bugs in old Slackware linux distributions (check latest message to
linux-dev@mit.edu from fubob@mit.edu), got root, and then proceeded to turn
raptor.mit.edu into a trojan horse and packet sniffer for the Next House
network. From there, they acquired passwords for several more athena
accounts, as well as several common hostnames, which were then attacked.
I first found out about this when my own machine, hesed.mit.edu, was
attacked using the same techniques (exploit of su buffer overrun). However,
since I run RedHat 4.2 and not Slackware, they were unsuccessful, but still
made off with my /etc/passwd (I recorded several connections to
FTPD). About that time, mitochrondria.mit.edu also got hit, and when I got
back to my room about 10:30pm Sunday I noticed something was strange and
spoke with mitochondria's owner (kvlee@mit.edu), which led us both to
goblin@mit.edu (owner of raptor).
Their method seems to be to get root, then FTP several files from
their own machine which constitute a cracking kit of sorts. This includes:
1) packet sniffer
2) IP masquerade linux kernel module
3) telnetd replacement which captures all keystrokes to a file
4) some sort of modification to vi or pico -.. unsure what it is.
5) enable rsh access as root
6) all of this was placed under /dev/.mud, and some sort hidden of file
/dev/h0, which didn't show up under ls
Fortunately for us, someone didn't cover their tracks too well - they
messed up trying to delete /var/log/wtmp, and more importantly,
/root/.bash_history, which is how we know pretty much what happened to
raptor.mit.edu. Unfortunately, I've got a text file with about 20-30+
athena usernames and passwords, along with LCS accounts/passwords, Harvard
passwords, BU passwords, etc... all sniffed off 18.242.* from 12am-about
10pm Aug. 17. I'm pretty sure the hacker already has a copy of those files
as well. I don't really know what to do with it -- I'm trying to extract
all the usernames I can so I can notify these people that their passwords
have been compromised, but we (me, kvlee@mit.edu, goblin@mit.edu, and
secondarily, fubob@mit.edu) don't really know where to go from here.
Any help would be appreciated. I have contacted rok@escape.com, who seems
to be a tech-support person over there -- he said please feel free to email
him with any further info we might be able to provide to help track down
this hacker. However, the real sysadmin at escape.com is out right now
(2:20pm). I have a rather big zip file with the complete contents of
/dev/.mud, as well as this fellow's bash_history file, if you think it'll
help.
raptor.mit.edu is completely offline, and hesed.mit.edu and
mitochrondria.mit.edu have completely disabled all athena logins known to
be compromised, but there's plenty of other machines for them to use, and
no doubt more Slackware Linux boxes.
thanks,
Edwin
-------------
MIT Computer Science '98 - Systems and Architecture | The FooBunny
| efoo@mit.edu
DEC Cambridge Research Lab - Parallel Computing Group | (617) 225-8826
Residential Computing Consultant (RCC) - New House | Romans 12:9
"Love must be sincere; Hate what is evil; cling to what is good." ><>
-------------
