[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)
Sean LeBlanc
seanleblanc at attbi.com
Mon Jan 28 21:36:37 MST 2002
On 01-28 21:08, Joe 'Zonker' Brockmeier wrote:
> On Mon, 28 Jan 2002, Sean LeBlanc wrote:
>
> > ftp www.marianhome.go.ro
>
> This is an address under the control of rdsnet.ro (Romania),
> which looks to be a hosting company. Possibly this cracker has
> a site hosted there, or has cracked another account there.
Why would he be so stupid to ftp to something he already cracked, or
actually ftp to a site that he is associated with? Pretty dumb, but he did
slip up other places, too, as I mentioned before. Shutting off sshd was
especially stupid.
> > I also scribbled down the IP numbers from where some of the logins took
> > place. Is there anything I can do in retaliation? He kept turning off ssh
> > (kind of stupid; it would have taken me a lot longer to notice otherwise)
> > and turned ON telnet. He also enabled rlogin, too. I tried to close things
> > up (hastily) before work, but I overlooked the rlogin...before I went to
> > work, I deleted his home dir and entry in passwd. I tried to deny packets to
> > port 53, but I'm not sure how to test. I guess I didn't do too good of a
> > job, because by 10:30, he must have logged in and killed sshd
> > again...because it wasn't responding. I had to wait until I got home, and
> > sure enough, my little friend had been at it again.
>
> Retaliation, no -- but if you can find the source that he's logging
> in from you might be able to contact the ISP or whatever he's using.
>
> What are the IPs?
193.231.202.163 and
193.109.122.5
> > Prior to attack, I was running some services which I know I shouldn't have
> > been , at least not without denying packets from outside - bind, smbd, nmbd,
> > identd. I still have no idea what he did to crack machine, and that really
> > bothers me. What I'd like to do is get ipchains rules together that block
> > all incoming packets except for ssh and except for stuff returning from
> > machines behind firewall. Getting cut off from home machine while at work is
> > a real PITA w/o the added worry of what this induhvidual intentions are...
>
> What distro, version, etc. are you using?
RH 6.1
> > So, any advice anyone has would be great. I ran Bastille scripts on this
> > machine once before, I may do that again, too...I changed a few things since
> > last I ran it, so it sure couldn't help.
>
> If at all possible, save this machine for the installfest -- if you don't
> get everything figured out by then, we can conduct a post-mortem on
> the machine then. It'd be a good learning experience for everyone,
> actually.
>
> > I planned on swapping out this machine, and putting in its place OpenBSD
> > (and a very bare installation, at that); now I guess that is higher up on
> > the priority list - but in the meantime, I'd like some stopgap measure to
> > keep this punk out. I have to at least download the OpenBSD ISO and get some
> > hardware in order before I can do what I really need to do to stop this
> > nonsense.
>
> I have the SuSE firewall distro, it runs off of the CD-ROM, I could make
> copies of that for you for the interim.
That's okay. I have to double-check the hardware, and if it's not a go, I'll
scrounge up something for cheap at one of the used shops. The ISO is at 17%
in the download...thanks, though!
--
Sean LeBlanc:seanleblanc at attbi.com Yahoo:seanleblancathome
ICQ:138565743 MSN:seanleblancathome AIM:sleblancathome
We will not know unless we begin.
-Howard Zinn
More information about the clue-tech
mailing list