l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2003 Sep 21 19:41

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[vox] cal.net rant
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[vox] cal.net rant



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cal.net offers shell access to one of thier systems.

[ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
$ uname -a
Linux shell1.cal.net 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown

Vurnable to the ptrace upgrade

$ cat /etc/redhat-release
Red Hat Linux release 7.3 (Valhalla)

They WERE running debian potato....

[ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
$ ./chkproc -v
PID    14: not in readdir output
PID    14: not in ps output
You have     1 process hidden for readdir command
You have     1 process hidden for ps command

Oops, looks like someone *already* "0wn3d" the box....

$ cat /proc/14/cmdline
initauto

$ ls -al /sbin/init /sbin/telinit
- -rwxr-xr-x    1 root     root        26920 Apr 19  2002 /sbin/init
- -rwxr-xr-x    1 root     root        26920 Apr 19  2002 /sbin/telinit

This is a sign that the SucKit rootkit was installed

This attacker had installed a program to log passwords, and got one of mine 
when I logged on to my servers from there. He installed an editor called aee 
and a password logger that logged to /usr/lib/mem/mem

[ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
$ ls -al /usr/lib/mem/mem
- -rw--w--w-    1 root     root       217782 Sep 20 23:21 /usr/lib/mem/mem

it has been truncated, aparently, as it was up to 3MB

$ ls -al /usr/lib/mem
total 44
- -rwxr-xr-x    1 root     root        27976 Apr  9 13:31
drwxr-xr-x    2 root     root         4096 Apr 24 15:26 .
drwxr-xr-x   24 root     root        12288 Apr 24 15:25 ..

It seems this was done in april

The admin was notified the week after LinuxWorld

ns2.cal.net was also infected with slapper according to them (it was doing 
ssh scans of my machines at work, which are on a nearby ip block)

I'm going to bite the bullet and switch to omsoft DSL at the end of this 
month.

I would like to see an article published in the enterprise about this, as I 
am VERY annoyed that they are partly to blame for two of my systems being 
cracked, and that they are allowing this intruder have free reign on thier 
system, however, I doubt the entrprise would make a store out of this. If 
anyone knows of anywhere I can complain to that will bring this to the 
attention of the public, I would be appreciative.

- -- 
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90  34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177BC7`
Also available at http://www.cal.net/~ryan/ryan_at_mother_dot_com.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/bUeOEd9E83IXe8cRAkkuAJ4v0Bok/Lv3pGqppxW4hXkn/r9O5wCfRTFn
OogWWYnw4zILu4koG96MsJI=
=rD6t
-----END PGP SIGNATURE-----
_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Sunset Systems
Who graciously hosts our website & mailing lists!