Anyone got something like this below http://www.honeynet.org/scans/scan29/sol/cgrenier/fragment201554.txt What is this a virus or someone that got into my system and ran a program that emails detail system information and password to people? How they do it? thanks henry
On Thursday 10 March 2005 19:50, Henry Tang wrote:
Anyone got something like this below
http://www.honeynet.org/scans/scan29/sol/cgrenier/fragment201554.txt
What is this a virus or someone that got into my system and ran a program that emails detail system information and password to people? How they do it?
huh? What are you talking about? That is part of a competition from the honeynet project, where they give you details about a compromised machine and you have to figure out what happened. That is not from your machine. Read the details on http://www.honeynet.org/scans/scan29/
Henry, On Thursday 10 March 2005 10:50, Henry Tang wrote:
Anyone got something like this below
http://www.honeynet.org/scans/scan29/sol/cgrenier/fragment201554.txt
There's far more interesting information if you start here: http://www.honeynet.org/scans/scan29/sol/cgrenier/, which includes links to the fragment201554.txt file.
What is this a virus or someone that got into my system and ran a program that emails detail system information and password to people? How they do it?
thanks henry
Randall Schulz
The example i gave is bad. It is more like this http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/0473.html I didn't want to post the email my server was trying to send out because it includes the /etc/passwd file so I posted examples i found on the net. Apprently root tried to send out couple of emails to unknown users of yahoo and other email address as well. The email was bounced and that is how i found out. :( I am not in the competition. :( henry Randall R Schulz wrote:
Henry,
On Thursday 10 March 2005 10:50, Henry Tang wrote:
Anyone got something like this below
http://www.honeynet.org/scans/scan29/sol/cgrenier/fragment201554.txt
There's far more interesting information if you start here: http://www.honeynet.org/scans/scan29/sol/cgrenier/, which includes links to the fragment201554.txt file.
What is this a virus or someone that got into my system and ran a program that emails detail system information and password to people? How they do it?
thanks henry
Randall Schulz
Henry, On Thursday 10 March 2005 11:18, Henry Tang wrote:
The example i gave is bad. It is more like this
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/04 73.html
I didn't want to post the email my server was trying to send out because it includes the /etc/passwd file so I posted examples i found on the net. Apprently root tried to send out couple of emails to unknown users of yahoo and other email address as well. The email was bounced and that is how i found out. :( I am not in the competition. :(
Are you running RootKit Hunter? If not, you should. You stand a good chance of knowing promptly when someone has established a toehold on your system. One regular participant here, Patrick Shanahan, kindly provides up-to-date builds in RPM form. To wit: -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- On Tuesday 22 February 2005 05:21, Patrick Shanahan wrote:
rkhunter -1.2.1-1.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.2.1-1.noarch.rpm http://wahoo.no-ip.org/~pat/rkhunter-1.2.1-1.src.rpm http://wahoo.no-ip.org/~pat/rkhunter-1.2.1.tar.gz
Project description: Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix clone.
The changes in this release are as follows: This release adds support for Mandrake 8.1, FreeBSD 5.3, and Slackware 10.1. It has support for Fink, updated MD5 hashes, updated packages, improved logging, improved output, and several bugfixes.
Release focus: 5 - Minor feature enhancements
Changelog Below is the changelog of Rootkit Hunter. It will contain changes of early released versions and the active development version.
Current public version: 1.2.1 Current development version: 1.2.2 (not available yet) -==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-
To find the full post, search for the subject "[SLE] rkhunter-1.2.1-1.noarch.rpm available" in the February 2005 archive.
... henry
Randall Schulz
On Thursday 10 March 2005 20:18, Henry Tang wrote:
The example i gave is bad. It is more like this
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/0473.htm l
I didn't want to post the email my server was trying to send out because it includes the /etc/passwd file so I posted examples i found on the net. Apprently root tried to send out couple of emails to unknown users of yahoo and other email address as well. The email was bounced and that is how i found out. :( I am not in the competition. :(
And is your machine a red hat machine? If your machine tries to send out that email, then it does indeed look like you have been hacked. The information you give isn't nearly enough to say how it was done though. What OS is the machine running? Is it patched with all available security updates? Which services are you running on it? Since the mail was never sent I suspect it hasn't been "owned", but just caught by an automated script of some description. I would hazard a guess that the log files haven't been cleaned, so you should still be able to find traces of how they got in through them. If this machine is in production use, I would recommend that you let someone look at it who knows about security.
Thanks alot for the info. I will run that.. I looked at my mail log and only two emails were sent out, and both got bounced, unless the mail log got cleaned. Luckily this is just some home server for fun, so nothing important, but would like to figure out what happened. henry Randall R Schulz wrote:
Henry,
On Thursday 10 March 2005 11:18, Henry Tang wrote:
The example i gave is bad. It is more like this
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/04 73.html
I didn't want to post the email my server was trying to send out because it includes the /etc/passwd file so I posted examples i found on the net. Apprently root tried to send out couple of emails to unknown users of yahoo and other email address as well. The email was bounced and that is how i found out. :( I am not in the competition. :(
Are you running RootKit Hunter? If not, you should. You stand a good chance of knowing promptly when someone has established a toehold on your system.
One regular participant here, Patrick Shanahan, kindly provides up-to-date builds in RPM form.
To wit:
-==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- On Tuesday 22 February 2005 05:21, Patrick Shanahan wrote:
rkhunter -1.2.1-1.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.2.1-1.noarch.rpm http://wahoo.no-ip.org/~pat/rkhunter-1.2.1-1.src.rpm http://wahoo.no-ip.org/~pat/rkhunter-1.2.1.tar.gz
Project description: Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix clone.
The changes in this release are as follows: This release adds support for Mandrake 8.1, FreeBSD 5.3, and Slackware 10.1. It has support for Fink, updated MD5 hashes, updated packages, improved logging, improved output, and several bugfixes.
Release focus: 5 - Minor feature enhancements
Changelog Below is the changelog of Rootkit Hunter. It will contain changes of early released versions and the active development version.
Current public version: 1.2.1 Current development version: 1.2.2 (not available yet)
-==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-
To find the full post, search for the subject "[SLE] rkhunter-1.2.1-1.noarch.rpm available" in the February 2005 archive.
... henry
Randall Schulz
On Thu, Mar 10, 2005 at 01:35:19PM -0600, Henry Tang wrote:
Thanks alot for the info.
I will run that.. I looked at my mail log and only two emails were sent out, and both got bounced, unless the mail log got cleaned. Luckily this is just some home server for fun, so nothing important, but would like to figure out what happened.
henry
Randall R Schulz wrote:
Henry,
On Thursday 10 March 2005 11:18, Henry Tang wrote:
The example i gave is bad. It is more like this
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/04 73.html
I didn't want to post the email my server was trying to send out because it includes the /etc/passwd file so I posted examples i found on the net. Apprently root tried to send out couple of emails to unknown users of yahoo and other email address as well. The email was bounced and that is how i found out. :( I am not in the competition. :(
LOL, ummm, when a mail tries sending the passwd file to another mail addy.... I think it's time to learn a little about security. first, is the machine updated when patches get released? Is the firewall up? Are you running services you don't actually need? those are my first guess. Next up: Do you run as root a alot? This is the most common problem for home users. Next up start looking in /dev, could be hidden things there. But I only recommend this if you are positive you won't screw up.
Are you running RootKit Hunter? If not, you should. You stand a good chance of knowing promptly when someone has established a toehold on your system.
One regular participant here, Patrick Shanahan, kindly provides up-to-date builds in RPM form.
To wit:
-==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==- On Tuesday 22 February 2005 05:21, Patrick Shanahan wrote:
rkhunter -1.2.1-1.noarch.rpm is available for download: http://wahoo.no-ip.org/~pat/rkhunter-1.2.1-1.noarch.rpm http://wahoo.no-ip.org/~pat/rkhunter-1.2.1-1.src.rpm http://wahoo.no-ip.org/~pat/rkhunter-1.2.1.tar.gz
Project description: Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix clone.
The changes in this release are as follows: This release adds support for Mandrake 8.1, FreeBSD 5.3, and Slackware 10.1. It has support for Fink, updated MD5 hashes, updated packages, improved logging, improved output, and several bugfixes.
Release focus: 5 - Minor feature enhancements
Changelog Below is the changelog of Rootkit Hunter. It will contain changes of early released versions and the active development version.
Current public version: 1.2.1 Current development version: 1.2.2 (not available yet)
-==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==-
To find the full post, search for the subject "[SLE] rkhunter-1.2.1-1.noarch.rpm available" in the February 2005 archive.
... henry
Randall Schulz
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Thu, Mar 10, 2005 at 08:31:54PM +0100, Anders Johansson wrote:
On Thursday 10 March 2005 20:18, Henry Tang wrote:
The example i gave is bad. It is more like this
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/0473.htm l
I didn't want to post the email my server was trying to send out because it includes the /etc/passwd file so I posted examples i found on the net. Apprently root tried to send out couple of emails to unknown users of yahoo and other email address as well. The email was bounced and that is how i found out. :( I am not in the competition. :(
And is your machine a red hat machine?
How would this matter?
If your machine tries to send out that email, then it does indeed look like you have been hacked. The information you give isn't nearly enough to say how it was done though.
My machine does this, I'm not rooted.
What OS is the machine running? Is it patched with all available security updates? Which services are you running on it?
Since the mail was never sent I suspect it hasn't been "owned", but just caught by an automated script of some description. I would hazard a guess that the log files haven't been cleaned, so you should still be able to find traces of how they got in through them.
What if he just hasn't set up sendmail or postfix properly and THAT was why the mail failed? All they have to do now is set up the mail server and they get the mail.
If this machine is in production use, I would recommend that you let someone look at it who knows about security.
He pointed out he was only using it for home use and it not a big deal.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Friday 11 March 2005 05:39, Allen wrote:
On Thu, Mar 10, 2005 at 08:31:54PM +0100, Anders Johansson wrote:
On Thursday 10 March 2005 20:18, Henry Tang wrote:
The example i gave is bad. It is more like this
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/0473 .htm l
I didn't want to post the email my server was trying to send out because it includes the /etc/passwd file so I posted examples i found on the net. Apprently root tried to send out couple of emails to unknown users of yahoo and other email address as well. The email was bounced and that is how i found out. :( I am not in the competition. :(
And is your machine a red hat machine?
How would this matter?
All the links I could find on the net that referred to that email were about red hat machines It would matter in that he should contact red hat people about security fixes instead of suse. Not all bugs affect all distros. The Lion worm for example was red hat only
If your machine tries to send out that email, then it does indeed look like you have been hacked. The information you give isn't nearly enough to say how it was done though.
My machine does this, I'm not rooted.
er, what? Your machine does what? Did you actually read any of the links? The mail in question was from a rootkit worm-ish thing. If your machine sends that out then you've been hacked
What OS is the machine running? Is it patched with all available security updates? Which services are you running on it?
Since the mail was never sent I suspect it hasn't been "owned", but just caught by an automated script of some description. I would hazard a guess that the log files haven't been cleaned, so you should still be able to find traces of how they got in through them.
What if he just hasn't set up sendmail or postfix properly and THAT was why the mail failed? All they have to do now is set up the mail server and they get the mail.
huh? If they can get into the machine to set up the mail server, what would be the point of sending the mail?
If this machine is in production use, I would recommend that you let someone look at it who knows about security.
He pointed out he was only using it for home use and it not a big deal.
Yes he did indeed. Except he pointed it out *after* I had sent the mail you replied to.
What i need to know now is what else can i do to find how this person hacked into my system. I checked message logs and mail logs and i found the date and time the email was sent out, but I dunno if the log files got cleaned or not. What other logs can i look into? henry Anders Johansson wrote:
On Friday 11 March 2005 05:39, Allen wrote:
On Thu, Mar 10, 2005 at 08:31:54PM +0100, Anders Johansson wrote:
On Thursday 10 March 2005 20:18, Henry Tang wrote:
The example i gave is bad. It is more like this
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/0473 .htm l
I didn't want to post the email my server was trying to send out because it includes the /etc/passwd file so I posted examples i found on the net. Apprently root tried to send out couple of emails to unknown users of yahoo and other email address as well. The email was bounced and that is how i found out. :( I am not in the competition. :(
And is your machine a red hat machine?
How would this matter?
All the links I could find on the net that referred to that email were about red hat machines
It would matter in that he should contact red hat people about security fixes instead of suse. Not all bugs affect all distros. The Lion worm for example was red hat only
If your machine tries to send out that email, then it does indeed look like you have been hacked. The information you give isn't nearly enough to say how it was done though.
My machine does this, I'm not rooted.
er, what? Your machine does what? Did you actually read any of the links? The mail in question was from a rootkit worm-ish thing. If your machine sends that out then you've been hacked
What OS is the machine running? Is it patched with all available security updates? Which services are you running on it?
Since the mail was never sent I suspect it hasn't been "owned", but just caught by an automated script of some description. I would hazard a guess that the log files haven't been cleaned, so you should still be able to find traces of how they got in through them.
What if he just hasn't set up sendmail or postfix properly and THAT was why the mail failed? All they have to do now is set up the mail server and they get the mail.
huh? If they can get into the machine to set up the mail server, what would be the point of sending the mail?
If this machine is in production use, I would recommend that you let someone look at it who knows about security.
He pointed out he was only using it for home use and it not a big deal.
Yes he did indeed. Except he pointed it out *after* I had sent the mail you replied to.
On Friday 11 March 2005 01:57, Henry Tang wrote:
What i need to know now is what else can i do to find how this person hacked into my system. I checked message logs and mail logs and i found the date and time the email was sent out, but I dunno if the log files got cleaned or not. What other logs can i look into?
henry
I feel for you. Not being able to tell if you have been hacked, or how badly, well, it really sucks. Some simple advice that may or may not be useful to you: First, try the suse-security list; you're more likely to get useful help there, in this topic. Second, I hope you're emailing from some other machine, and the suspicious one is offline. That is key. Get yourself a live cd (something up to date, less likely to have vulnerabilities, e.g., knoppix or something like it). Only then you can go back online. Do all your forensics using the live cd, you can't trust any binaries on your box anymore. Finally, even if you can't find any traces of hacking, reinstall the system from scratch anyway. Just in case. Well, that's all I've got. Good luck!
On Fri, Mar 11, 2005 at 12:57:14AM -0600, Henry Tang wrote:
What i need to know now is what else can i do to find how this person hacked into my system. I checked message logs and mail logs and i found the date and time the email was sent out, but I dunno if the log files got cleaned or not. What other logs can i look into?
If you're rooted they can not only delete logs but forge them. Meaning the holes where the log has been deleted can be forged so that it appears nothing happened. Again, were you updated with alls ecurity patches?
henry
Anders Johansson wrote:
On Friday 11 March 2005 05:39, Allen wrote:
On Thu, Mar 10, 2005 at 08:31:54PM +0100, Anders Johansson wrote:
On Thursday 10 March 2005 20:18, Henry Tang wrote:
The example i gave is bad. It is more like this
http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-06/0473 .htm l
I didn't want to post the email my server was trying to send out because it includes the /etc/passwd file so I posted examples i found on the net. Apprently root tried to send out couple of emails to unknown users of yahoo and other email address as well. The email was bounced and that is how i found out. :( I am not in the competition. :(
And is your machine a red hat machine?
How would this matter?
All the links I could find on the net that referred to that email were about red hat machines
It would matter in that he should contact red hat people about security fixes instead of suse. Not all bugs affect all distros. The Lion worm for example was red hat only
If your machine tries to send out that email, then it does indeed look like you have been hacked. The information you give isn't nearly enough to say how it was done though.
My machine does this, I'm not rooted.
er, what? Your machine does what? Did you actually read any of the links? The mail in question was from a rootkit worm-ish thing. If your machine sends that out then you've been hacked
What OS is the machine running? Is it patched with all available security updates? Which services are you running on it?
Since the mail was never sent I suspect it hasn't been "owned", but just caught by an automated script of some description. I would hazard a guess that the log files haven't been cleaned, so you should still be able to find traces of how they got in through them.
What if he just hasn't set up sendmail or postfix properly and THAT was why the mail failed? All they have to do now is set up the mail server and they get the mail.
huh? If they can get into the machine to set up the mail server, what would be the point of sending the mail?
If this machine is in production use, I would recommend that you let someone look at it who knows about security.
He pointed out he was only using it for home use and it not a big deal.
Yes he did indeed. Except he pointed it out *after* I had sent the mail you replied to.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Nope, i don't think i am. I am running 7.3 which is a discontinued product. I am working on SuSE 9.2 now ^.^ I think it'll be much more secure than 7.3. Allen wrote:
On Fri, Mar 11, 2005 at 12:57:14AM -0600, Henry Tang wrote:
What i need to know now is what else can i do to find how this person hacked into my system. I checked message logs and mail logs and i found the date and time the email was sent out, but I dunno if the log files got cleaned or not. What other logs can i look into?
If you're rooted they can not only delete logs but forge them. Meaning the holes where the log has been deleted can be forged so that it appears nothing happened.
Again, were you updated with alls ecurity patches?
On Sat, Mar 12, 2005 at 12:55:35AM -0600, Henry Tang wrote:
Nope, i don't think i am. I am running 7.3 which is a discontinued product. I am working on SuSE 9.2 now ^.^ I think it'll be much more secure than 7.3.
Umm OK, good, but don't turn the machine iff if you plan on trying to save any data gtom it for analysis. The other guy who replied said to get it off , and I agree, pull the network cable, but DON'T turn it off, reboots can often lead to rm -rf / which is added in so if the machine is powered down it can.
Allen wrote:
On Fri, Mar 11, 2005 at 12:57:14AM -0600, Henry Tang wrote:
What i need to know now is what else can i do to find how this person hacked into my system. I checked message logs and mail logs and i found the date and time the email was sent out, but I dunno if the log files got cleaned or not. What other logs can i look into?
If you're rooted they can not only delete logs but forge them. Meaning the holes where the log has been deleted can be forged so that it appears nothing happened.
Again, were you updated with alls ecurity patches?
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
The Sunday 2005-03-13 at 17:47 -0500, Allen wrote:
Umm OK, good, but don't turn the machine iff if you plan on trying to save any data gtom it for analysis. The other guy who replied said to get it off , and I agree, pull the network cable, but DON'T turn it off, reboots can often lead to rm -rf / which is added in so if the machine is powered down it can.
What about killing every process (kill -9), then pulling the cord? -- Cheers, Carlos Robinson
On Sunday 13 March 2005 18:54, Carlos E. R. wrote:
The Sunday 2005-03-13 at 17:47 -0500, Allen wrote:
Umm OK, good, but don't turn the machine iff if you plan on trying to save any data gtom it for analysis. The other guy who replied said to get it off , and I agree, pull the network cable, but DON'T turn it off, reboots can often lead to rm -rf / which is added in so if the machine is powered down it can.
What about killing every process (kill -9), then pulling the cord?
Only if you don't boot the machine again. If rm -rf has been put into the init sequence (perhaps /etc/boot) then by starting the machine again the rogue code will be started and do it's damage. You can boot with knoppix and then mount your partitions and examine them for damage. Did you install tripwire? -- Collector of vintage computers http://www.ncf.ca/~ba600 Machines to trade http://www.ncf.ca/~ba600/trade.html Open Source Weekend http://www.osw.ca
Only if you don't boot the machine again.
If rm -rf has been put into the init sequence (perhaps /etc/boot) then by starting the machine again the rogue code will be started and do it's damage.
You can boot with knoppix and then mount your partitions and examine them for damage.
Did you install tripwire?
Tripwire looks like a pretty good software! So i still that after booting with knoppix? I looked into my system and this is what I found and wonder. Does this show that the email was sent by root? H??Received: (from root@localhost) by main.yucreation.com (8.11.6/8.11.6/SuSE Linux 0.5) id j2A9fEW12735 for Blondu@mamef.us; Thu, 10 Mar 2005 03:41:14 -0600 H?D?Date: Thu, 10 Mar 2005 03:41:14 -0600 H?F?From: root <root> I think the hack that sends out the email with shadow and passwd listing either has root access or shadow group access. Becuase according to this below it shows that only user of shadow or root can read the file. If the hacker has root, what is the purpose of getting the system config or shadow file via email.. I don't see a reason going through all that trouble. So must be user gdm. shadow:x:15:root,gdm -rw-r--r-- 1 root root 3102 Mar 11 03:49 passwd -rw-r--r-- 1 root root 3102 Jan 5 23:26 passwd- -rw-r--r-- 1 root root 2761 Oct 8 2003 passwd.bak -rw-r--r-- 1 root root 2942 Nov 23 2003 passwd.old main:/etc # ls -la | grep shadow -rw-r--r-- 1 root shadow 772 Feb 9 15:35 group -rw-r--r-- 1 root shadow 744 Oct 7 2003 group.bak -rw-r----- 1 root shadow 765 Nov 7 2003 gshadow -rw------- 1 root root 755 Nov 7 2003 gshadow- -rw-r----- 1 root shadow 1859 Mar 11 04:26 shadow -rw-r----- 1 root shadow 1819 Jan 12 12:07 shadow- -rw-r----- 1 root shadow 1361 Oct 8 2003 shadow.bak -rw-r----- 1 root shadow 1859 Mar 11 04:24 shadow.old In the file listing like below.. It is open to anyone so that doesn't explain much. :9 =============================================================== Hacking Files.. /etc/opt/gnome/SuSE/Games/TacticStrategy/xnethack.desktop /etc/opt/kde2/share/applnk/SuSE/Games/TacticStrategy/xnethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/Action/nethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/nethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/xnethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.-368.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.desktop /home/choad/ftp/appz/Macromedia_Studio_MX/FreeHand/Goodies/Assets/Templates/WebS ite Templates/Snake Shack.FT9 /home/henry/hacking /home/henry/_desktop/replays/hacked.rep /home/henry/_desktop/replays/hacked2.rep /opt/gnome/share/gnome/distribution-menus/SuSE/Games/TacticStrategy/xnethack.des ktop /opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jl /opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jlc /usr/games/nethack /usr/games/nethack.d /usr/games/nethack.d/nethack.qt
On Sun, Mar 13, 2005 at 09:06:26PM -0600, Henry Tang wrote:
Only if you don't boot the machine again.
If rm -rf has been put into the init sequence (perhaps /etc/boot) then by starting the machine again the rogue code will be started and do it's damage.
You can boot with knoppix and then mount your partitions and examine them for damage.
Did you install tripwire?
Tripwire looks like a pretty good software! So i still that after booting with knoppix?
I looked into my system and this is what I found and wonder.
Does this show that the email was sent by root?
H??Received: (from root@localhost) by main.yucreation.com (8.11.6/8.11.6/SuSE Linux 0.5) id j2A9fEW12735 for Blondu@mamef.us; Thu, 10 Mar 2005 03:41:14 -0600 H?D?Date: Thu, 10 Mar 2005 03:41:14 -0600 H?F?From: root <root>
I think the hack that sends out the email with shadow and passwd listing either has root access or shadow group access. Becuase according to this below it shows that only user of shadow or root can read the file. If the hacker has root, what is the purpose of getting the system config or shadow file via email.. I don't see a reason going through all that trouble. So must be user gdm.
GDM is an application like KDM which shows a GUI log in...
shadow:x:15:root,gdm
-rw-r--r-- 1 root root 3102 Mar 11 03:49 passwd -rw-r--r-- 1 root root 3102 Jan 5 23:26 passwd- -rw-r--r-- 1 root root 2761 Oct 8 2003 passwd.bak -rw-r--r-- 1 root root 2942 Nov 23 2003 passwd.old main:/etc # ls -la | grep shadow -rw-r--r-- 1 root shadow 772 Feb 9 15:35 group -rw-r--r-- 1 root shadow 744 Oct 7 2003 group.bak -rw-r----- 1 root shadow 765 Nov 7 2003 gshadow -rw------- 1 root root 755 Nov 7 2003 gshadow- -rw-r----- 1 root shadow 1859 Mar 11 04:26 shadow -rw-r----- 1 root shadow 1819 Jan 12 12:07 shadow- -rw-r----- 1 root shadow 1361 Oct 8 2003 shadow.bak -rw-r----- 1 root shadow 1859 Mar 11 04:24 shadow.old
In the file listing like below.. It is open to anyone so that doesn't explain much. :9
===============================================================
Mainly replying to point something out here: Nethack is a game. They aren't "hacking files".
Hacking Files.. /etc/opt/gnome/SuSE/Games/TacticStrategy/xnethack.desktop /etc/opt/kde2/share/applnk/SuSE/Games/TacticStrategy/xnethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/Action/nethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/nethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/xnethack.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.-368.desktop /etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.desktop /home/choad/ftp/appz/Macromedia_Studio_MX/FreeHand/Goodies/Assets/Templates/WebS ite Templates/Snake Shack.FT9 /home/henry/hacking /home/henry/_desktop/replays/hacked.rep /home/henry/_desktop/replays/hacked2.rep /opt/gnome/share/gnome/distribution-menus/SuSE/Games/TacticStrategy/xnethack.des ktop /opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jl /opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jlc /usr/games/nethack /usr/games/nethack.d /usr/games/nethack.d/nethack.qt
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
The Sunday 2005-03-13 at 21:06 -0600, Henry Tang wrote:
I think the hack that sends out the email with shadow and passwd listing either has root access or shadow group access. Becuase according to this below it shows that only user of shadow or root can read the file. If the hacker has root, what is the purpose of getting the system config or shadow file via email.. I don't see a reason going through all that trouble. So must be user gdm.
A reason to send an email could be because it was an automated attack. -- Cheers, Carlos
participants (7)
-
Adalberto Castelo
-
Allen
-
Anders Johansson
-
Carlos E. R.
-
Henry Tang
-
Mike
-
Randall R Schulz