l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
December 2: Social gathering
Next Installfest:
TBD
Latest News:
Nov. 18: Club officer elections
Page last updated:
2003 Sep 21 22:59

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox] cal.net rant
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox] cal.net rant



On Sat, 20 Sep 2003, Ryan Castellucci wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Cal.net offers shell access to one of thier systems.
> 
> [ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
> $ uname -a
> Linux shell1.cal.net 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
> 
> Vurnable to the ptrace upgrade
> 
> $ cat /etc/redhat-release
> Red Hat Linux release 7.3 (Valhalla)
> 
> They WERE running debian potato....
> 
> [ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
> $ ./chkproc -v
> PID    14: not in readdir output
> PID    14: not in ps output
> You have     1 process hidden for readdir command
> You have     1 process hidden for ps command
> 
> Oops, looks like someone *already* "0wn3d" the box....
> 
> $ cat /proc/14/cmdline
> initauto
> 
> $ ls -al /sbin/init /sbin/telinit
> - -rwxr-xr-x    1 root     root        26920 Apr 19  2002 /sbin/init
> - -rwxr-xr-x    1 root     root        26920 Apr 19  2002 /sbin/telinit
> 
> This is a sign that the SucKit rootkit was installed
> 
> This attacker had installed a program to log passwords, and got one of mine 
> when I logged on to my servers from there. He installed an editor called aee 
> and a password logger that logged to /usr/lib/mem/mem
> 
> [ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
> $ ls -al /usr/lib/mem/mem
> - -rw--w--w-    1 root     root       217782 Sep 20 23:21 /usr/lib/mem/mem
> 
> it has been truncated, aparently, as it was up to 3MB
> 
> $ ls -al /usr/lib/mem
> total 44
> - -rwxr-xr-x    1 root     root        27976 Apr  9 13:31
> drwxr-xr-x    2 root     root         4096 Apr 24 15:26 .
> drwxr-xr-x   24 root     root        12288 Apr 24 15:25 ..
> 
> It seems this was done in april
> 
> The admin was notified the week after LinuxWorld
> 
> ns2.cal.net was also infected with slapper according to them (it was doing 
> ssh scans of my machines at work, which are on a nearby ip block)
> 
> I'm going to bite the bullet and switch to omsoft DSL at the end of this 
> month.
> 
> I would like to see an article published in the enterprise about this, as I 
> am VERY annoyed that they are partly to blame for two of my systems being 
> cracked, and that they are allowing this intruder have free reign on thier 
> system, however, I doubt the entrprise would make a store out of this. If 
> anyone knows of anywhere I can complain to that will bring this to the 
> attention of the public, I would be appreciative.

I am interested to see your analysis of the problem.  Definitely not fun.

However, I am not really sure why this situation is pushing you to switch
to Omsoft.  They are linux-friendly, but not necessarily
linux-advocates... they depend heavily on Windows NT.  Davis Community
Network (which is sort of related to Omsoft) has two (or more?) sun boxen.  
I have an account on one of these, and while I have no information leading
me to suspect that they are or ever have been 0wned, I would simply never
make a backward connection into my home box from that shell account, so
the worst that can happen through that account is defacement of my website
or perusal of my email.  I would not be particularly happy to encounter
defacement of my website, but I would most likely simply request the
sysadmin to review the security of their box and change my password. (I do
think DCN is competent to do that... you may not have even that level of
confidence in cal.net anymore.)

I like Omsoft as an ISP, but I don't have any reason to think they have
any special claim to better security than cal.net... and I don't hold them
even partly responsible for the integrity of my LAN.  There are too many
ways a random computer can be doctored to make remote shell connections to
my home box permissible to more than my laptop.

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------

_______________________________________________
vox mailing list
vox@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox



LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
Appahost Applications
For a significant contribution towards our projector, and a generous donation to allow us to continue meeting at the Davis Library.