[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)
Joe 'Zonker' Brockmeier
jbrockmeier at earthlink.net
Mon Jan 28 21:08:36 MST 2002
On Mon, 28 Jan 2002, Sean LeBlanc wrote:
> ftp www.marianhome.go.ro
This is an address under the control of rdsnet.ro (Romania),
which looks to be a hosting company. Possibly this cracker has
a site hosted there, or has cracked another account there.
> I also scribbled down the IP numbers from where some of the logins took
> place. Is there anything I can do in retaliation? He kept turning off ssh
> (kind of stupid; it would have taken me a lot longer to notice otherwise)
> and turned ON telnet. He also enabled rlogin, too. I tried to close things
> up (hastily) before work, but I overlooked the rlogin...before I went to
> work, I deleted his home dir and entry in passwd. I tried to deny packets to
> port 53, but I'm not sure how to test. I guess I didn't do too good of a
> job, because by 10:30, he must have logged in and killed sshd
> again...because it wasn't responding. I had to wait until I got home, and
> sure enough, my little friend had been at it again.
Retaliation, no -- but if you can find the source that he's logging
in from you might be able to contact the ISP or whatever he's using.
What are the IPs?
> Prior to attack, I was running some services which I know I shouldn't have
> been , at least not without denying packets from outside - bind, smbd, nmbd,
> identd. I still have no idea what he did to crack machine, and that really
> bothers me. What I'd like to do is get ipchains rules together that block
> all incoming packets except for ssh and except for stuff returning from
> machines behind firewall. Getting cut off from home machine while at work is
> a real PITA w/o the added worry of what this induhvidual intentions are...
What distro, version, etc. are you using?
> So, any advice anyone has would be great. I ran Bastille scripts on this
> machine once before, I may do that again, too...I changed a few things since
> last I ran it, so it sure couldn't help.
If at all possible, save this machine for the installfest -- if you don't
get everything figured out by then, we can conduct a post-mortem on
the machine then. It'd be a good learning experience for everyone,
actually.
> I planned on swapping out this machine, and putting in its place OpenBSD
> (and a very bare installation, at that); now I guess that is higher up on
> the priority list - but in the meantime, I'd like some stopgap measure to
> keep this punk out. I have to at least download the OpenBSD ISO and get some
> hardware in order before I can do what I really need to do to stop this
> nonsense.
I have the SuSE firewall distro, it runs off of the CD-ROM, I could make
copies of that for you for the interim.
Take care,
Zonker
--
Joe 'Zonker' Brockmeier -=- jbrockmeier at earthlink.net
http://www.DissociatedPress.net/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"If there's going to be any future for us, our first invention
must be a meme-killer. We must destroy in ourselves and in
the people around us the meme proclaiming civilization to be
an unsurpassable invention." -- Daniel Quinn
More information about the clue-tech
mailing list