got cracked, part II was: Re: got cracked!
Armin Hartinger
armin@pctechware.com
Mon, 13 Nov 2000 01:10:15 -0700
This is a multi-part message in MIME format.
------=_NextPart_000_001C_01C04D0E.7B392F40
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Ok an update on my little adventure:
I mailed him, no reply.
I dug up another harddrive on which I will set up a new Linux and =
meanwhile I can plug in the old "corrupted" hdd to keep the show running =
before I finalize the new setup. Currently I'm playing around with RH7, =
but the memo from the GCC developers stating that RH7's gcc is only a =
development version makes me a little uneasy about it. What's the scoop?
When I set up that box originally, I figured "well, who would want to do =
something with it, it's just a plain gateway box?". But over the months =
it grew, I put on apache, php, mysql, GnuPG, SMB and used it as =
development server for my sidejobs. Also I set up subdomains for my kids =
and what not... now I have to set it all up again and it's a royal PITA.
I plan to run too many services on it to be really secure, but I will =
nevertheless tighten things up a bit. FTP will go for sure. I guess I =
rather log in remotely via SSH and ftp manually from there. I'm also =
will take some closer looks into "Maximum Linux Security" which I picked =
up a while ago. My firewall rules were a bit liberal too...=20
Another thing I'd be interested in is some form of automatized backup of =
certain directories. I don't have a backup drive at the moment and I =
don't really want to run another electricity hogging PC constantly which =
could suck down files with 'expect' or similar... anybody got ideas?
Now some more details about my corrupted box & that cracker.
Whatever he wrote about that he didn't damage anything, just deleted the =
logs and changed some html-files doesn't sound any likely. HE created a =
new user "skizzo", some more usergroups and pseudo-legit accounts. =
Judging from the remaining files in a directory ".stuff" in =
/home/skizzo/, he installed one or more bots in the system. Looking into =
cron.d and rc.d showed all kinds of weird stuff called.
I also found a .gz and programs called "adore" and "ava". Ava seems to =
be a program to hide tasks so they don't show up with "ps" anymore and =
something else weird it seems to to with PIDs. Adore does some other =
little thingies...
from ava.c:
printf("Usage: %s {h,u,r,i,v,U} [file, PID or dummy (for =
'U')]\n\n"
" h hide file\n"
" u unhide file\n"
" r execute as root\n"
" U uninstall adore\n"
" i make PID invisible\n"
" v make PID visible\n\n", argv[0]);
If anybody wants those programs to play around with them... just lemme =
know.
Well, bottomline is that I absolutely will set up a new OS and will =
tighten security a little. Since I was an easy target once as it seems, =
I can expect more to come, right?
-Armin
----- Original Message -----=20
From: Lucas Vogel=20
To: 'plug-discuss@lists.PLUG.phoenix.az.us'=20
Sent: Sunday, November 12, 2000 11:40 PM
Subject: RE: got cracked!
I wonder, would he really send you the patch if you emailed him for =
it? Anyone know? I know almost nothing about hacking/hackers/etc...
-----Original Message-----
From: Armin Hartinger [mailto:armin@pctechware.com]
Sent: Sunday, November 12, 2000 1:05 AM
To: Plug-discuss@lists.PLUG.phoenix.az.us
Subject: got cracked!
drwxrwxrwx 7 110 203 4096 Nov 4 22:45 .
drwxr-xr-x 14 110 203 4096 Sep 24 12:04 ..
-rw-r--r-- 1 armin armin 2326 Sep 25 18:25 =
apache_pb.gif
drwxrwxr-x 2 armin armin 4096 Sep 25 18:27 deborah
drwxrwxrwx 4 armin armin 4096 Oct 10 14:45 dev
-rw-r--r-- 1 root ftp 1431 Oct 24 20:06 index.html
drwxrwxrwx 2 armin armin 4096 Nov 11 17:01 kristen
drwxrwxrwx 3 armin armin 4096 Nov 11 16:08 lauren
drwxrwxrwx 7 110 203 4096 Aug 16 1999 manual
-rw-r--r-- 1 root ftp 66 Oct 24 20:04 old.html
[armin@gateway /www]$ =
=20
Someone hacked into my little Linux gateway box. He defaced =
index.html and saved the old one as old.html
That he appears as root/ftp, is that an indication how he got in?
I had anon. ftp running, using the default one RH 6.2 ships with =
(wu-2.6.0).
I suppose I have to completely re-setup that box, I just would like =
to know what hole to close there.
Any ideas?
If anybody wants to see the deface before I fix by box: =
http://24.221.63.194/
------=_NextPart_000_001C_01C04D0E.7B392F40
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Ok an update on my little =
adventure:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I mailed him, no reply.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I dug up another harddrive on which I =
will set up a=20
new Linux and meanwhile I can plug in the old "corrupted" hdd to keep =
the show=20
running before I finalize the new setup. Currently I'm playing around =
with RH7,=20
but the memo from the GCC developers stating that RH7's gcc is only a=20
development version makes me a little uneasy about it. What's the=20
scoop?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>When I set up that box originally, I =
figured "well,=20
who would want to do something with it, it's just a plain gateway box?". =
But=20
over the months it grew, I put on apache, php, mysql, GnuPG, =
SMB and=20
used it as development server for my sidejobs. Also I set up subdomains =
for my=20
kids and what not... now I have to set it all up again and it's a royal=20
PITA.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I plan to run too many services on it =
to be really=20
secure, but I will nevertheless tighten things up a bit. FTP will go for =
sure. I=20
guess I rather log in remotely via SSH and ftp manually from there. I'm =
also=20
will take some closer looks into "Maximum Linux Security" which I picked =
up a=20
while ago. My firewall rules were a bit liberal too... </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Another thing I'd be interested in is =
some form of=20
automatized backup of certain directories. I don't have a backup drive =
at the=20
moment and I don't really want to run another electricity hogging PC =
constantly=20
which could suck down files with 'expect' or similar... anybody got=20
ideas?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Now some more details about my =
corrupted=20
box & that cracker.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Whatever he wrote about that he didn't =
damage=20
anything, just deleted the logs and changed some html-files doesn't =
sound any=20
likely. HE created a new user "skizzo", some more usergroups and =
pseudo-legit=20
accounts. Judging from the remaining files in a directory ".stuff" in=20
/home/skizzo/, he installed one or more bots in the system. Looking into =
cron.d=20
and rc.d showed all kinds of weird stuff called.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I also found a .gz and programs called =
"adore" and=20
"ava". Ava seems to be a program to hide tasks so they don't show up =
with "ps"=20
anymore and something else weird it seems to to with PIDs. Adore does =
some other=20
little thingies...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>from ava.c:</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2> =20
printf("Usage: %s {h,u,r,i,v,U} [file, PID or dummy (for=20
'U')]\n\n"<BR> =20
" h hide=20
file\n"<BR> =20
" u unhide=20
file\n"<BR> =20
" r execute as=20
root\n"<BR> =20
" U uninstall=20
adore\n"<BR> =20
" i make PID=20
invisible\n"<BR> =20
" v make PID visible\n\n",=20
argv[0]);</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>If anybody wants those programs to play =
around with=20
them... just lemme know.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Well, bottomline is that I absolutely =
will set up a=20
new OS and will tighten security a little. Since I was an easy target =
once as it=20
seems, I can expect more to come, right?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>-Armin</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>----- Original Message ----- </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Dlvogel@exponent.com =
href=3D"mailto:lvogel@exponent.com">Lucas Vogel</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
title=3Dplug-discuss@lists.PLUG.phoenix.az.us=20
=
href=3D"mailto:'plug-discuss@lists.PLUG.phoenix.az.us'">'plug-discuss@lis=
ts.PLUG.phoenix.az.us'</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Sunday, November 12, 2000 =
11:40=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: got cracked!</DIV>
<DIV><BR></DIV>
<DIV><SPAN class=3D802405006-13112000><FONT face=3DArial =
color=3D#0000ff size=3D2>I=20
wonder, would he really send you the patch if you emailed him for it? =
Anyone=20
know? I know almost nothing about =
hacking/hackers/etc...</FONT></SPAN></DIV>
<BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
<DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
size=3D2>-----Original Message-----<BR><B>From:</B> Armin Hartinger=20
[mailto:armin@pctechware.com]<BR><B>Sent:</B> Sunday, November 12, =
2000 1:05=20
AM<BR><B>To:</B> <A=20
=
href=3D"mailto:Plug-discuss@lists.PLUG.phoenix.az.us">Plug-discuss@lists.=
PLUG.phoenix.az.us</A><BR><B>Subject:</B>=20
got cracked!<BR><BR></FONT></DIV>
<DIV><FONT face=3DArial size=3D2>drwxrwxrwx 7=20
110 =20
203 4096 =
Nov 4=20
22:45 .<BR>drwxr-xr-x 14 =
110 =20
203 4096 Sep =
24 12:04=20
..<BR>-rw-r--r-- 1 armin =20
armin 2326 Sep 25 18:25=20
apache_pb.gif<BR>drwxrwxr-x 2 =
armin =20
armin 4096 Sep 25 18:27=20
deborah<BR>drwxrwxrwx 4 armin =20
armin 4096 Oct 10 14:45=20
dev<BR>-rw-r--r-- 1 root =20
ftp 1431 Oct =
24 20:06=20
index.html<BR>drwxrwxrwx 2 armin =
armin 4096 Nov 11 17:01=20
kristen<BR>drwxrwxrwx 3 armin =20
armin 4096 Nov 11 16:08=20
lauren<BR>drwxrwxrwx 7 =
110 =20
203 4096 Aug =
16 =20
1999 manual<BR>-rw-r--r-- 1 =
root =20
=
ftp 66 =
Oct=20
24 20:04 old.html<BR>[armin@gateway=20
=
/www]$ &=
nbsp; &n=
bsp; &nb=
sp; &nbs=
p; =20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Someone hacked into my little Linux =
gateway=20
box. He defaced index.html and saved the old one as =
old.html</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>That he appears as root/ftp, is =
that an=20
indication how he got in?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I had anon. ftp running, using the =
default one=20
RH 6.2 ships with (wu-2.6.0).</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I suppose I have to completely =
re-setup that=20
box, I just would like to know what hole to close =
there.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Any ideas?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>If anybody wants to see the deface =
before I=20
fix by box: <A=20
=
href=3D"http://24.221.63.194/">http://24.221.63.194/</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial=20
size=3D2></FONT> </DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_001C_01C04D0E.7B392F40--