[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)

Sean LeBlanc seanleblanc at attbi.com
Mon Jan 28 21:36:37 MST 2002 

On 01-28 21:08, Joe 'Zonker' Brockmeier wrote:
> On Mon, 28 Jan 2002, Sean LeBlanc wrote:
> 
> > ftp www.marianhome.go.ro
> 
> This is an address under the control of rdsnet.ro (Romania),
> which looks to be a hosting company. Possibly this cracker has
> a site hosted there, or has cracked another account there.

Why would he be so stupid to ftp to something he already cracked, or
actually ftp to a site that he is associated with? Pretty dumb, but he did
slip up other places, too, as I mentioned before. Shutting off sshd was
especially stupid.

> > I also scribbled down the IP numbers from where some of the logins took
> > place. Is there anything I can do in retaliation? He kept turning off ssh
> > (kind of stupid; it would have taken me a lot longer to notice otherwise)
> > and turned ON telnet. He also enabled rlogin, too. I tried to close things
> > up (hastily) before work, but I overlooked the rlogin...before I went to
> > work, I deleted his home dir and entry in passwd. I tried to deny packets to
> > port 53, but I'm not sure how to test. I guess I didn't do too good of a
> > job, because by 10:30, he must have logged in and killed sshd
> > again...because it wasn't responding. I had to wait until I got home, and
> > sure enough, my little friend had been at it again.
> 
> Retaliation, no -- but if you can find the source that he's logging
> in from you might be able to contact the ISP or whatever he's using.
> 
> What are the IPs?

193.231.202.163 and 
193.109.122.5

> > Prior to attack, I was running some services which I know I shouldn't have
> > been , at least not without denying packets from outside - bind, smbd, nmbd,
> > identd. I still have no idea what he did to crack machine, and that really
> > bothers me. What I'd like to do is get ipchains rules together that block
> > all incoming packets except for ssh and except for stuff returning from
> > machines behind firewall. Getting cut off from home machine while at work is
> > a real PITA w/o the added worry of what this induhvidual intentions are...
> 
> What distro, version, etc. are you using?

RH 6.1 

> > So, any advice anyone has would be great. I ran Bastille scripts on this
> > machine once before, I may do that again, too...I changed a few things since
> > last I ran it, so it sure couldn't help.
> 
> If at all possible, save this machine for the installfest -- if you don't
> get everything figured out by then, we can conduct a post-mortem on
> the machine then. It'd be a good learning experience for everyone,
> actually.
> 
> > I planned on swapping out this machine, and putting in its place OpenBSD
> > (and a very bare installation, at that); now I guess that is higher up on
> > the priority list - but in the meantime, I'd like some stopgap measure to
> > keep this punk out. I have to at least download the OpenBSD ISO and get some
> > hardware in order before I can do what I really need to do to stop this
> > nonsense.
> 
> I have the SuSE firewall distro, it runs off of the CD-ROM, I could make
> copies of that for you for the interim.

That's okay. I have to double-check the hardware, and if it's not a go, I'll
scrounge up something for cheap at one of the used shops. The ISO is at 17%
in the download...thanks, though!

-- 
Sean LeBlanc:seanleblanc at attbi.com Yahoo:seanleblancathome 
ICQ:138565743 MSN:seanleblancathome AIM:sleblancathome 
We will not know unless we begin. 
-Howard Zinn

More information about the clue-tech mailing list