A cracker attacks and disrupts our ability to serve web pages

  Locations of visitors to this page
be notified of website changes? subscribe
Mac OS

 

Apple

MacBook Pro

PowerBook

Newton

QuickTake

Lombard/Wall Street woes

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

A cracker attacks and disrupts our ability to serve web pages

The following are details about the break-in to my web server. The machine administrator's words appear in dark red, my words appear in dark green.

Date: Wed, 7 Feb 1996 14:56:33 -0500
From: "Mama's little helper" 
To: msattler@GeekTimes.com
Subject: Re: baby is running Perl 4...
Status: U

> Bastards.  How did they get in?  Sniffed my password, I guess.

I'm not sure really. They also attacked one of the other machines on campus (thunder.indstate.edu), a machine you do not have access to, but is also a Linux machine, very similar to baby. It's possible he hacked you by guessing your password or cracked it with crack after he had gained root access through some other account.

> >I caught them in the act and shut them down but good.
>
> How; how?

Well, on Sunday, I hadn't been logged in much, cause a friend was visiting, so after I logged in on mama (through my nice dedicated 28.8 kbps modem =), I logged into thunder, and noticed it gave the errors:

_setutent: Can't open utmp file: No such file or directory
_setutent: Can't open utmp file: No such file or directory

Just after entering the password. I didn't think anything of it, since thunder is poorly maintained, so I thought "Well, thunder has a new error". But when I logged into baby, my heart sunk when I saw the same thing. I knew then something was up. I immediately checked to make sure I had a utmp, and I did, so I check /bin/login, and sure enough it was not only different, but compiled in ELF, rather than the systems current a.out configuration. This guy was running by a playbook as near as I can tell, which means he probably didn't know what he was doing, other than it worked. He was pretty sloppy tho, not even setting the inode times on anything. Really sloppy making blatant errors when you login.

Anyway after replacing the login program and doing a quick scan of the OS for setuid programs and making sure they still weren't on, I logged off to check the other systems. All were clean, so I logged back into baby to check a few more things, and there you where, or actually he was in your account.

Essentially he was on, using your account, I figured he wasn't you, since the address he was coming in was odd. After he responded to a talk request I asked for his first name, knowing your first name, and you name isn't in your finger. I did this because you don't always come in from the same address and I didn't want to kill you off if you were really you. I figured he wouldn't know who's account he was using, so after he couldn't come up with it, he quit the talk session and kicked me off the system. I logged back in and kicked him off the system and changed the accounts password. Once that was done I setup the hosts.deny and hosts.allow files to deny all access from outside ISU and from the other hacked in machine. I also replaced the login program and scanned for all the other usual things after a breakin. Baby seems clean, but I will re-install it when I get some time.

I'm pretty sure he was using the splitvt hack, which when you run it and quit and run it again and quit and spawn a /bin/sh, you're root, or something to that effect. I know this because he was running /bin/sh when he kicked me off, and there were no setuid programs on the system (and /bin/sh was not setuid either).

> Where did they hail from?  It'd be easier with trusted domains: catch22.com
> and sirius.com.  Is that a fine enough net for you?  I have a fixed IP at
> the former (guildenstern.catch22.com) but dynamic IP at the latter.

*msattler  ttyp0        midget.towson.e  Sun Feb  4 23:05 - 23:21  (00:15)
*msattler  ftp          thunder.indstate Sun Feb  4 18:34 - 18:35  (00:00)
 msattler  ftp          guildenstern.Cat Sun Feb  4 01:50 - 01:50  (00:00)
 msattler  ftp          b17.Catch22.COM  Sat Feb  3 22:05 - 22:06  (00:00)
?msattler  ttyp0        catalog1.netlin  Sat Feb  3 21:59 - 22:19  (00:19)
 msattler  ttyp0        ppp058-sf1.siri  Fri Feb  2 23:26 - 23:32  (00:06)
 msattler  ttyp0        guildenstern.Ca  Thu Feb  1 03:41 - 03:43  (00:01)

The ? one I don't know about for sure, they could be you. The * ones are definitely not you. The rest are from Catch22.COM, and sirius.com or at least it would seem.

I also added those domains to the hosts.allow, so you should be able to get in now.

> > Baby is going to be re-installed probably this week to make sure there
> >isn't anything left over from the hacking attempt that shouldn't be there,
>
> Good idea.  Then we can install Kerberos.
>

Have you found errors nontrivial or marginal, factual, analytical and illogical, arithmetical, temporal, or even typographical? Please let me know; drop me email. Thanks!
 

What's New?  •  Search this Site  •  Website Map
Travel  •  Burning Man  •  San Francisco
Kilts! Kilts! Kilts!  •  Macintosh  •  Technology  •  CU-SeeMe
This page is copyrighted 1993-2008 by Lila, Isaac, Rose, and Mickey Sattler. All rights reserved.