On Fri, 12 Jan 2001, Micah Yoder wrote:
> > Actually, just download & install initscripts & the programs you need
> > (syslog, sendmail, cron, etc) to get them back. Trouble, yes. But not a
> > complete reinstall.
>
> Thanks, I got it working in somewhat good shape again.
>
> > Now, the question still remains what caused it to happen in the first
> > place. If a breakin is the answer, you need a reinstall regardless as
> > I'll guarantee there are other problems you haven't even located yet.
>
> Could it have been anything OTHER than a crack?
>
> Well I just checked out /var/log/messages from the day before the weird
> stuff happened. Should have done that earlier. Startup in the morning
> was normal, shutdown was not -- lpd, crond, etc., shutdown failed.
> During the day, this is what showed up: (yeah, all that garbage is
> really there!) And what are all the -- MARK -- things? The su activity
> for users leroy and micah is (I think) normal. But the connection from
> zeus.kernel.org is definitely not! Is there any way to tell from this
> how they got in?
Bad bad bad. Almost certainly this is a crack. Looks like someone trying
overflow a buffer in rcp.statd and shove in some shell code. Given that
syslogd restarted shortly thereafter suggests they succeeded.
The '-- MARK --' stuff is printed from syslog every 10 minutes to let you
know syslogd is still running. Normally redhat starts syslogd with '-m'
which stops this. That it is there suggests syslgod was started manually
(by the cracker?) rather than with the init script.
The connection to oidentd from kernel.org is acually probably harmless.
Looks like micah made and outgoing ftp connection to kernel.org (to get the
2.4.0 maybe?) and it connected back to get his username. This is normal and
pretty harmless.
The ftp connections from 202.175.50.106 look pretty suspicious. It would
appear to be under ctm.net in china or hongkong. Good bet that these are
your guys.
M.
> Jan 4 15:38:12 nova rpc.statd[351]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8049710
> 8054d98687465676274736f6d616e797265206520726f7220726f66
>
> bffff718
>
> bffff719 bffff71a
>
>
>
>bffff71b<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
>
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
>
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
>
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
>
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
>
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
>
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
>
><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
> Jan 4 15:40:24 nova syslogd 1.3-3: restart.
> Jan 4 15:55:19 nova ftpd[1327]: ACCESS DENIED (not in any class) TO
> 202.175.50.106 [202.175.50.106]
> Jan 4 15:55:19 nova ftpd[1327]: FTP LOGIN REFUSED (access denied) FROM
> 202.175.50.106 [202.175.50.106], ftp
> Jan 4 15:55:26 nova ftpd[1327]: FTP session closed
> Jan 4 16:20:24 nova -- MARK --
> Jan 4 16:40:25 nova -- MARK --
> Jan 4 17:00:25 nova -- MARK --
> Jan 4 17:20:25 nova -- MARK --
> Jan 4 17:40:25 nova -- MARK --
> Jan 4 18:00:25 nova -- MARK --
> Jan 4 18:20:25 nova -- MARK --
> Jan 4 18:40:25 nova -- MARK --
> Jan 4 19:00:25 nova -- MARK --
> Jan 4 19:20:25 nova -- MARK --
> Jan 4 19:40:25 nova -- MARK --
> Jan 4 19:41:10 nova PAM_pwdb[1415]: (su) session opened for user leroy
> by (uid=500)
> Jan 4 19:41:41 nova PAM_pwdb[1469]: (login) session opened for user
> micah by (uid=0)
> Jan 4 20:00:25 nova -- MARK --
> Jan 4 20:08:35 nova PAM_pwdb[1544]: (su) session opened for user root
> by micah(uid=500)
> Jan 4 20:09:40 nova PAM_pwdb[1544]: (su) session closed for user root
> Jan 4 20:20:25 nova -- MARK --
> Jan 4 20:40:25 nova -- MARK --
> Jan 4 21:00:25 nova -- MARK --
> Jan 4 21:20:25 nova -- MARK --
> Jan 4 21:40:25 nova -- MARK --
> Jan 4 22:00:25 nova -- MARK --
> Jan 4 22:20:25 nova -- MARK --
> Jan 4 22:40:25 nova -- MARK --
> Jan 4 23:00:25 nova -- MARK --
> Jan 4 23:20:25 nova -- MARK --
> Jan 4 23:40:25 nova -- MARK --
> Jan 4 23:47:39 nova oidentd[1788]: Connection from zeus.kernel.org
> (209.10.41.242):2738
> Jan 4 23:47:39 nova oidentd[1788]: [209.10.41.242] Successful lookup:
> 1690 , 21 : micah
> (micah)
> Jan 5 00:00:25 nova -- MARK --
> Jan 5 00:20:25 nova -- MARK --
> Jan 5 00:40:25 nova -- MARK --
> Jan 5 01:00:25 nova -- MARK --
> Jan 5 01:10:42 nova PAM_pwdb[1415]: (su) session closed for user leroy
> Jan 5 01:36:22 nova PAM_pwdb[1469]: (login) session closed for user
> micah
> Jan 5 01:36:22 nova inetd[1289]: pid 1468: exit status
> 1
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
--
WebCentral Pty Ltd Australia's #1 Internet Web Hosting Company
Level 1, 96 Lytton Road. Network Operations - Systems Engineer
PO Box 4169, East Brisbane. phone: +61 7 3249 2583
Queensland, Australia. pgp key id: 0x900E515F
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
