yearlingGTE.NET

• Next message: Samu: "Re: Bandwidth Limiting"
• Previous message: Amin Lalji: "Re: Bandwidth Limiting"
• Next in thread: Paul Timmins: "Re: I am not afraid. I have been hit by something, maybe you can help."
• Reply: Paul Timmins: "Re: I am not afraid. I have been hit by something, maybe you can help."
• Reply: Sean Foley: "Maybe gethostbyname vulnerability."
• Reply: Guilherme Mesquita: "Re: I am not afraid. I have been hit by something, maybe you can help."
• Reply: Andrew Hatfield: "Re: I am not afraid. I have been hit by something, maybe you can help."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This looks like something new. My site has been up for only
a few weeks or so, and nothing really critical has been
exposed to the world. Before this I was being rather lax
about allowing telnet connections because I am away from
the site and have to work on it in my spare time, I am
moving to ssh tonight.

It started just yesterday, all logins are using a terminal
type of "dumb". I have to set my terminal type manually now
if I want to run anything useful in a text terminal. I
think the hacker has changed the login exec for all users,
somehow through telnet.

I found their stinky trail in two places, please take a
look at the following output from the two affected systems,
achem is running RH 6.2(zoot) and angel is a RH 6.0(Hedwig)
box, I am not going to hide the addresses that the slime
used to do this, they may have been spoofed but I doubt
that was possible with my filters:

angel.mydomain.com ls -algctr /usr/sbin, /bin, /sbin,
/usr/bin, /dev
...
drwxr-xr-x 2 root root 1024 Aug 10 16:26
.backup
drwxr-xr-x 18 root root 1024 Aug 10 20:09 ..
prw------- 1 root root 0 Aug 11 16:32
initctl
...
---------below I see the sleeze connect pattern
in /var/log/secure
Aug 10 16:24:43 angel in.telnetd[991]: connect from
209.208.201.115
Aug 10 16:24:58 angel in.telnetd[992]: connect from
209.209.18.197

-----------------------On my other affected host...
achem.mydomain.com$ ls -algctr /usr/sbin, /bin, /sbin,
/usr/bin, /dev
...
drwxr-xr-x 2 root root 1024 Aug 10 20:24
.backup
drwxr-xr-x 17 root root 1024 Aug 10 20:24 ..
...
--------what a surprize, the sleezy ***holes connected to
my laptop 4 hours later from the same hosts

in /var/log/secure
Aug 10 20:21:35 achem in.telnetd[1125]: connect from
209.208.201.115
Aug 10 20:23:37 achem in.telnetd[1126]: connect from
209.209.18.197

**********************
In the /dev/.backup directories on both machines there is a
binary called login.

Thanks for looking at this, I am relatively new to Linux,
but I am not afraid. I would like to know if anyone has
seen these symptoms and if you know of the best way to get
my logins back to the normal terminal type. Any resource
suggestions would be super cool.

Sean

• Next message: Samu: "Re: Bandwidth Limiting"
• Previous message: Amin Lalji: "Re: Bandwidth Limiting"
• Next in thread: Paul Timmins: "Re: I am not afraid. I have been hit by something, maybe you can help."
• Reply: Paul Timmins: "Re: I am not afraid. I have been hit by something, maybe you can help."
• Reply: Sean Foley: "Maybe gethostbyname vulnerability."
• Reply: Guilherme Mesquita: "Re: I am not afraid. I have been hit by something, maybe you can help."
• Reply: Andrew Hatfield: "Re: I am not afraid. I have been hit by something, maybe you can help."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]