Don't feed the animals. /m
----- Original Message ----- From: "Billy B. Bilano" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, September 16, 2004 12:54 PM Subject: [Full-Disclosure] Severe exploit found, all UNIX are affected! > Dudes, > > Bad news today. Oh my goodness! I am in a tizzy-fit over this! I am such > an expert at system administrating but even the best of us fall from > glory now and then. And let me tell you, this is one time I believe > somebody got the best of me... and that somebody is a fellow named Charles! > > It all started when my big OpenBSD box took a dumper and I got paged. So > I get into the bank and start to look around and I poke and prod the box > and then I log into it and run the appropriate debug tools (ls, ps, top, > cut, etc. -- pun not intended). I notice, at long last, that the console > messages were not lying... the hard drive was indeed full! (you can > never be too sure about that sort of thing as everybody will agree) > > The offending file was the previous administrator (Stan, who got fired > when I became IT director because he was a puss and always joked about > beer and had a picture of some baby looking at teats saying "lunch" on > his cube wall -- that offended me as a larger man). So his old > administrator account has a huge mail spoolball that is taking up 80% of > the drive! Holy crappers! So I logged in as "stan" and used his password > he gave me in exchange for his severance package. I typed "mail" hoping > to see if this would let me view his mail and it did -- thankgod! What I > saw scared the holy mole dickens out of me... > > Thousands of emails! As I started reading them, I realized the full > extent of what is, without a doubt, going to become known as the biggest > and most notorious hack in the history of the Internet! > > Northcutt better take out that section about the Mitnik attack in that > terrible book he is always rehasing with only a spit-shine and fancy new > cover because here comes something leaner and meaner! (I have re-bought > that nut's book eight times and it is always the same old cruft over and > over but there wont be a ninth purchase, you bet your pink pajamas!) > Someone needs to tell him that SANS is not the MANS! LOL! > > This is BIG, folks! The mails... there were big ones and small ones and > they all had one thing in common: they were from a person who would soon > be determined to be a master hacker who has obviously infiltrated the > bank's system long ago, before I even canned Stan (he was such a chump > and always lost his wallet because he wore those baggy hacker pants). > > It seems that this black head hacker, named Charlie Root, has been busy > alright... Every night, like clockwork, he sends me a few emails that > contain the most intimate of details about the server! Drive space, > logins, users I've created and removed, and more! I think he is trying > to extort money from the bank! > > I was scared to hell to raise any red alarms at the bank so I started to > look around and I believe I found out who this Charlie Root person > really is: > > http://www.baseballlibrary.com/baseballlibrary/ballplayers/R/Root_Charlie.st m > > It seems that old Chinski used to play baseball for the Brown Cubs back > in his youth. Clearly, from reading about his shoddy career, he was > washed up as his stats are terrible by modern standards and he retired > from the game in 1970! Now, as is abundantly clear, he has reached a > desperate point in his life and is now devoting his time to taking over > the world's infrastructure and trying to do phishy things and extort > money from gallant administrators like myself. > > I looked into the front directory on my server and saw a folder called > "root"! OMGF! I dove into his folder and saw all kinds of hacker files > (like some thinger called ".bash_history" which seems to contain a list > of commands he uses to take over the system, and ".forward" which > contains Stan's email address). There were also tarballers for other > things that look like old log backups! Incredible! I tried to delete > some of these trojan files but it said I could not! I did some more > looking around and found another startling fact: Charlie Root has > changed my shell! It is not sh like it should be, it has been set to > "stsh" which it certainly some kind of backdoor hacker tool to capture > my strokes! > > Normally I would just reboot the server but this time, since I was at > lunch, I decided to play around with my EMACKS script on my new Sun > 6800's and, by chance, I saw that almost every file on the system was > already owned by the "root" fellow! He has the guile to call himself > "Super-User!" when I fingered (LOL) his account! We have only had these > systems for a little over a month and this Charlie Root has already > taken over every UNIX server in the bank! > > This may be the end of our company if I cannot get this hacker out of > our systems and expunge the network of this wretched "root" Chinski > thing. I will not bow to his extortion attempts! > > Someone please tell me what I should do next! > > P.S. My bloglog has more background info and stuff about Chinski's > involvement in Y2000K... <http://www.bilano.biz/> > > -- > Mr. Billy B. Bilano, MSCE, CCNA > <http://www.bilano.biz/> > Expert Sysadmin Since 2003! > 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL' -- RMS > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html