[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)

[Kevin Cullis]

Sean,

I just saw a program just the other day on PBS (I think) about computer
security and the Defense Department (I think) tried hacking into 8192
computers.  Guess what? Out all of those computers, only 1/2 of 1%
actually knew that they had been hacked and 1/4 of 1% actually notified
CERT about it.  So, you're not alone, but you're ahead of the game.

While this may not help, at least I see you being ahead of the game more
than most.

Kevin

Sean LeBlanc wrote:
> 
> Well, I've been noticing weird things on my firewall box since Friday.  I
> wasn't able to SSH in several times, had to turn it on from the console,
> only to discover hours later or next day it's not working again. So this
> morning I'm eating my bagel and coffee before work and I decide to try SSH
> again.  It's not on. So I start getting suspicious (finally) and decide to
> snoop about for any foul play - sure enough, I've been cracked. I've been
> pretty lazy about setting up ipchains to block things that I should be
> blocking. I am guessing that this jackass is trying to make my box part of a
> DDoS attack when the word comes via IRC. Here's at least a partial log of
> what he did (from .bash_history) from an account called marian he made on
> the box (with user id of 0):
> 
> So, any advice anyone has would be great. I ran Bastille scripts on this
> machine once before, I may do that again, too...I changed a few things since
> last I ran it, so it sure couldn't help.
> 
> I planned on swapping out this machine, and putting in its place OpenBSD
> (and a very bare installation, at that); now I guess that is higher up on
> the priority list - but in the meantime, I'd like some stopgap measure to
> keep this punk out. I have to at least download the OpenBSD ISO and get some
> hardware in order before I can do what I really need to do to stop this
> nonsense.
>