got cracked, part II was: Re: got cracked!

Armin Hartinger armin@pctechware.com
Mon, 13 Nov 2000 01:10:15 -0700


This is a multi-part message in MIME format.

------=_NextPart_000_001C_01C04D0E.7B392F40
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Ok an update on my little adventure:

I mailed him, no reply.

I dug up another harddrive on which I will set up a new Linux and =
meanwhile I can plug in the old "corrupted" hdd to keep the show running =
before I finalize the new setup. Currently I'm playing around with RH7, =
but the memo from the GCC developers stating that RH7's gcc is only a =
development version makes me a little uneasy about it. What's the scoop?

When I set up that box originally, I figured "well, who would want to do =
something with it, it's just a plain gateway box?". But over the months =
it grew, I put on apache, php, mysql, GnuPG, SMB and used it as =
development server for my sidejobs. Also I set up subdomains for my kids =
and what not... now I have to set it all up again and it's a royal PITA.

I plan to run too many services on it to be really secure, but I will =
nevertheless tighten things up a bit. FTP will go for sure. I guess I =
rather log in remotely via SSH and ftp manually from there. I'm also =
will take some closer looks into "Maximum Linux Security" which I picked =
up a while ago. My firewall rules were a bit liberal too...=20

Another thing I'd be interested in is some form of automatized backup of =
certain directories. I don't have a backup drive at the moment and I =
don't really want to run another electricity hogging PC constantly which =
could suck down files with 'expect' or similar... anybody got ideas?

Now some more details about my corrupted box & that cracker.

Whatever he wrote about that he didn't damage anything, just deleted the =
logs and changed some html-files doesn't sound any likely. HE created a =
new user "skizzo", some more usergroups and pseudo-legit accounts. =
Judging from the remaining files in a directory ".stuff" in =
/home/skizzo/, he installed one or more bots in the system. Looking into =
cron.d and rc.d showed all kinds of weird stuff called.
I also found a .gz and programs called "adore" and "ava". Ava seems to =
be a program to hide tasks so they don't show up with "ps" anymore and =
something else weird it seems to to with PIDs. Adore does some other =
little thingies...
from ava.c:
            printf("Usage: %s {h,u,r,i,v,U} [file, PID or dummy (for =
'U')]\n\n"
         "       h hide file\n"
         "       u unhide file\n"
         "       r execute as root\n"
         "       U uninstall adore\n"
         "       i make PID invisible\n"
         "       v make PID visible\n\n", argv[0]);

If anybody wants those programs to play around with them... just lemme =
know.

Well, bottomline is that I absolutely will set up a new OS and will =
tighten security a little. Since I was an easy target once as it seems, =
I can expect more to come, right?

-Armin



----- Original Message -----=20
  From: Lucas Vogel=20
  To: 'plug-discuss@lists.PLUG.phoenix.az.us'=20
  Sent: Sunday, November 12, 2000 11:40 PM
  Subject: RE: got cracked!


  I wonder, would he really send you the patch if you emailed him for =
it? Anyone know? I know almost nothing about hacking/hackers/etc...
    -----Original Message-----
    From: Armin Hartinger [mailto:armin@pctechware.com]
    Sent: Sunday, November 12, 2000 1:05 AM
    To: Plug-discuss@lists.PLUG.phoenix.az.us
    Subject: got cracked!


    drwxrwxrwx    7 110      203          4096 Nov  4 22:45 .
    drwxr-xr-x   14 110      203          4096 Sep 24 12:04 ..
    -rw-r--r--    1 armin    armin        2326 Sep 25 18:25 =
apache_pb.gif
    drwxrwxr-x    2 armin    armin        4096 Sep 25 18:27 deborah
    drwxrwxrwx    4 armin    armin        4096 Oct 10 14:45 dev
    -rw-r--r--    1 root     ftp          1431 Oct 24 20:06 index.html
    drwxrwxrwx    2 armin    armin        4096 Nov 11 17:01 kristen
    drwxrwxrwx    3 armin    armin        4096 Nov 11 16:08 lauren
    drwxrwxrwx    7 110      203          4096 Aug 16  1999 manual
    -rw-r--r--    1 root     ftp            66 Oct 24 20:04 old.html
    [armin@gateway /www]$                                                =
         =20

    Someone hacked into my little Linux gateway box. He defaced =
index.html and saved the old one as old.html
    That he appears as root/ftp, is that an indication how he got in?

    I had anon. ftp running, using the default one RH 6.2 ships with =
(wu-2.6.0).

    I suppose I have to completely re-setup that box, I just would like =
to know what hole to close there.

    Any ideas?

    If anybody wants to see the deface before I fix by box: =
http://24.221.63.194/



------=_NextPart_000_001C_01C04D0E.7B392F40
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Ok an update on my little =
adventure:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I mailed him, no reply.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I dug up another harddrive on which I =
will set up a=20
new Linux and meanwhile I can plug in the old "corrupted" hdd to keep =
the show=20
running before I finalize the new setup. Currently I'm playing around =
with RH7,=20
but the memo from the GCC developers stating that RH7's gcc is only a=20
development version makes me a little uneasy about it. What's the=20
scoop?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>When I set up that box originally, I =
figured "well,=20
who would want to do something with it, it's just a plain gateway box?". =
But=20
over the months it grew, I put on apache, php, mysql,&nbsp;GnuPG, =
SMB&nbsp;and=20
used it as development server for my sidejobs. Also I set up subdomains =
for my=20
kids and what not... now I have to set it all up again and it's a royal=20
PITA.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I plan to run too many services on it =
to be really=20
secure, but I will nevertheless tighten things up a bit. FTP will go for =
sure. I=20
guess I rather log in remotely via SSH and ftp manually from there. I'm =
also=20
will take some closer looks into "Maximum Linux Security" which I picked =
up a=20
while ago. My firewall rules were a bit liberal too... </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Another thing I'd be interested in is =
some form of=20
automatized backup of certain directories. I don't have a backup drive =
at the=20
moment and I don't really want to run another electricity hogging PC =
constantly=20
which could suck down files with 'expect' or similar... anybody got=20
ideas?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Now some more details about my =
corrupted=20
box&nbsp;&amp; that cracker.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Whatever he wrote about that he didn't =
damage=20
anything, just deleted the logs and changed some html-files doesn't =
sound any=20
likely. HE created a new user "skizzo", some more usergroups and =
pseudo-legit=20
accounts. Judging from the remaining files in a directory ".stuff" in=20
/home/skizzo/, he installed one or more bots in the system. Looking into =
cron.d=20
and rc.d showed all kinds of weird stuff called.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I also found a .gz and programs called =
"adore" and=20
"ava". Ava seems to be a program to hide tasks so they don't show up =
with "ps"=20
anymore and something else weird it seems to to with PIDs. Adore does =
some other=20
little thingies...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>from ava.c:</FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
&nbsp;printf("Usage: %s {h,u,r,i,v,U} [file, PID or dummy (for=20
'U')]\n\n"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; h hide=20
file\n"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; u unhide=20
file\n"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; r execute as=20
root\n"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; U uninstall=20
adore\n"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; i make PID=20
invisible\n"<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; v make PID visible\n\n",=20
argv[0]);</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>If anybody wants those programs to play =
around with=20
them... just lemme know.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Well, bottomline is that I absolutely =
will set up a=20
new OS and will tighten security a little. Since I was an easy target =
once as it=20
seems, I can expect more to come, right?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>-Armin</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>----- Original Message ----- </DIV>
<BLOCKQUOTE dir=3Dltr=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
  <DIV=20
  style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
  <A title=3Dlvogel@exponent.com =
href=3D"mailto:lvogel@exponent.com">Lucas Vogel</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>To:</B> <A=20
  title=3Dplug-discuss@lists.PLUG.phoenix.az.us=20
  =
href=3D"mailto:'plug-discuss@lists.PLUG.phoenix.az.us'">'plug-discuss@lis=
ts.PLUG.phoenix.az.us'</A>=20
  </DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Sunday, November 12, 2000 =
11:40=20
  PM</DIV>
  <DIV style=3D"FONT: 10pt arial"><B>Subject:</B> RE: got cracked!</DIV>
  <DIV><BR></DIV>
  <DIV><SPAN class=3D802405006-13112000><FONT face=3DArial =
color=3D#0000ff size=3D2>I=20
  wonder, would he really send you the patch if you emailed him for it? =
Anyone=20
  know? I know almost nothing about =
hacking/hackers/etc...</FONT></SPAN></DIV>
  <BLOCKQUOTE dir=3Dltr style=3D"MARGIN-RIGHT: 0px">
    <DIV class=3DOutlookMessageHeader dir=3Dltr align=3Dleft><FONT =
face=3DTahoma=20
    size=3D2>-----Original Message-----<BR><B>From:</B> Armin Hartinger=20
    [mailto:armin@pctechware.com]<BR><B>Sent:</B> Sunday, November 12, =
2000 1:05=20
    AM<BR><B>To:</B> <A=20
    =
href=3D"mailto:Plug-discuss@lists.PLUG.phoenix.az.us">Plug-discuss@lists.=
PLUG.phoenix.az.us</A><BR><B>Subject:</B>=20
    got cracked!<BR><BR></FONT></DIV>
    <DIV><FONT face=3DArial size=3D2>drwxrwxrwx&nbsp;&nbsp;&nbsp; 7=20
    110&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    203&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 =
Nov&nbsp; 4=20
    22:45 .<BR>drwxr-xr-x&nbsp;&nbsp; 14 =
110&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    203&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Sep =
24 12:04=20
    ..<BR>-rw-r--r--&nbsp;&nbsp;&nbsp; 1 armin&nbsp;&nbsp;&nbsp;=20
    armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 2326 Sep 25 18:25=20
    apache_pb.gif<BR>drwxrwxr-x&nbsp;&nbsp;&nbsp; 2 =
armin&nbsp;&nbsp;&nbsp;=20
    armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Sep 25 18:27=20
    deborah<BR>drwxrwxrwx&nbsp;&nbsp;&nbsp; 4 armin&nbsp;&nbsp;&nbsp;=20
    armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Oct 10 14:45=20
    dev<BR>-rw-r--r--&nbsp;&nbsp;&nbsp; 1 root&nbsp;&nbsp;&nbsp;&nbsp;=20
    ftp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1431 Oct =
24 20:06=20
    index.html<BR>drwxrwxrwx&nbsp;&nbsp;&nbsp; 2 armin&nbsp;&nbsp;&nbsp; =

    armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Nov 11 17:01=20
    kristen<BR>drwxrwxrwx&nbsp;&nbsp;&nbsp; 3 armin&nbsp;&nbsp;&nbsp;=20
    armin&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Nov 11 16:08=20
    lauren<BR>drwxrwxrwx&nbsp;&nbsp;&nbsp; 7 =
110&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    203&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 4096 Aug =
16&nbsp;=20
    1999 manual<BR>-rw-r--r--&nbsp;&nbsp;&nbsp; 1 =
root&nbsp;&nbsp;&nbsp;&nbsp;=20
    =
ftp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 66 =
Oct=20
    24 20:04 old.html<BR>[armin@gateway=20
    =
/www]$&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nb=
sp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
    </FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>Someone hacked into my little Linux =
gateway=20
    box. He defaced index.html and saved the old one as =
old.html</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2>That he appears as root/ftp, is =
that an=20
    indication how he got in?</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>I had anon. ftp running, using the =
default one=20
    RH 6.2 ships with (wu-2.6.0).</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>I suppose I have to completely =
re-setup that=20
    box, I just would like to&nbsp;know what hole to close =
there.</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>Any ideas?</FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial size=3D2>If anybody wants to see the deface =
before I=20
    fix&nbsp;by box: <A=20
    =
href=3D"http://24.221.63.194/">http://24.221.63.194/</A></FONT></DIV>
    <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
    <DIV><FONT face=3DArial=20
size=3D2></FONT>&nbsp;</DIV></BLOCKQUOTE></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_001C_01C04D0E.7B392F40--