|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Intrusion, WuFTP exploit?
From: David Knaack (dknaack
RDTECH.COM)Date: Fri Jul 07 2000 - 19:31:45 CDT
- Next message: Ryan Russell: "Re: Simultaneous Attacks"
- Previous message: Michal Nazarewicz: "Re: scan log and subsequent response from the host's ISP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Early morning, July 5th a box was attacked and the (apparently
really pathetic and stupid) hacker gained root access to the
system.
Access was obtained with what appears to have been slam.sh,
a PAM exploit.
Two accounts are created, x (uid=0) and donx.
The kiddie logs in and apparently FTP's some files down:
Jul 5 03:57:53 genesis identd[2794]: Connection from rdu25-11-016.nc.rr.com
Jul 5 03:57:57 genesis named[410]: Lame server on
'16.11.25.24.in-addr.arpa' (in '11.25.24.in-addr.arpa'?): [24.128.1.80].53
'NS1.MEDIAONE.NET'
Jul 5 03:57:57 genesis identd[2794]: from: 24.25.11.16
rdu25-11-016.nc.rr.com ) for: 1084, 21
Jul 5 03:58:30 genesis PAM_pwdb[2797]: (su) session opened for user x by
donx(uid=508)
'don' kindly left his .bash_history intact. He ran a program
called 'zip' (IIRC) with parameters 'don' and 'hell.com'.
I'm not sure what the app does, but if he left it lying
around I plan on checking.
It is amusing to note that 'don' has made repeated attempts
to telnet into the box, from the same ip from which he rooted
the box (208.191.202.76)!
dk
- Next message: Ryan Russell: "Re: Simultaneous Attacks"
- Previous message: Michal Nazarewicz: "Re: scan log and subsequent response from the host's ISP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]