[CLUE-Tech] Fwd: Re: blitznet crack attack

[Dan Harris]

WOW, that's some good info, Jim.  Thanks for sharing it.

What I find interesting is that this cracker went directly to the exploit 
instead of portscanning the box first.  If he/she had portscanned it, 
portsentry would have done its job and dropped the IP.  I guess this just 
proves that the #1 most important security measure is to stay up to date 
with OS patches!

For #1, my guess would be that it was in /root/.  The logs show su sessions 
being opened, so that looks like the account that was used to do all the 
chmod's and install of the rootkit.

#2, most of the time, there will be nothing to check, as 99% of all script 
kiddies will do a portscan first, looking for vulnerable ports.  Portsentry 
will block them before they ever get to a shell.

#3, I'm not up to speed with proxies, so hopefully someone else will add 
some insight here...

-Dan Harris

> Greetings All,
> 
> Interesting post/info on the PortSentry mailist (see what follows) re:
> another successfull crack that PortSentry caught after the fact (the
> damage was done).
> 
> For Discussion:
> 
> 1) .bash_history that is being reviewed in the post... would that file
> be located in the /home/daemon directory, root user directoy of what?
> 
> 2) If PortSentry posts an AttackAlert, what/where .bash_history files
> should be viewed and inspected to see what the cracker was up to?
> 
> 3) I've seen attempts on my own system via port 1080. This is used by
> servers running as proxy servers, yes?
> 
> Bonus Questions: What did the cracker do, and how did he get in? How
> could this have been prevented?
> 
> -JimI.
> 
> Jim Intriglia
> IT Systems and Software Developer
> www.JimIntriglia.com
>