Date: Sun, 23 Jun 1996 21:08:46 -0400 (EDT) From: jaeger <jaeger@com> To: "Jordan K. Hubbard" <jkh@time.cdrom.com> Cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.LNX.3.91.960623204910.5399A-100000@dhp.com> In-Reply-To: <7979.835575935@time.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Jun 1996, Jordan K. Hubbard wrote: > jkh p2 a235.pu.ru Sun04PM - -bash (bash) > Sure gets the heart pounding doesn't it? > This was "me" on wcarchive.cdrom.com today - when I caught the guy I > starred myself out of the password file and `watch -W'd' him. He > wasn't doing anything special, but when I sent him a "gotcha!" he > attempted to remove my home directory (nothing in it, no loss) and > logged out. That proves this guy to not only be a cracker but a > malicious one at that and, were he to be caught and relieved of his > testicles by the russian mafia, I would be the first to ask for them > in a jar as a momento! :-) > > I'm not one to generally get too upset about this kind of thing, but > breaking into our flagship machine as me is going just a bit too far > (as was trying to nuke my files when caught - I'd have forgiven him > but for that, now I want his balls). Very amateurish, that. Contact the Russians on a secure channel (woo, sounds like a spy novel). Sweep the machine for suid shells and changed binaries. You might want to suspend some remote logins until you have this worked out. The process accounting logs, if you run that, may be illuminating. Check your history file (.bash_history in this case) and anything else he may have left around (I'm somewhat unclear on whether your home directory was actually removed). Even if you find no altered binaries or other evidence the intruder had gained root access, I'd still fire up lsof and look for sniffers or backdoor processes. Use tcp wrappers to deny access from *.ru or all but selected hosts. I'd say your chances of tracking this guy down are pretty slim unless the Russian hosts weren't root compromised or they were running enhanced logging or network monitors. Could this intrusion possibly have been a result of using cleartext remote login sessions? -jaeger
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.91.960623204910.5399A-100000>