[vox] cal.net rant
Ryan Castellucci
vox@lists.lugod.org
Sat, 20 Sep 2003 23:39:10 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cal.net offers shell access to one of thier systems.
[ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
$ uname -a
Linux shell1.cal.net 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknow=
n
Vurnable to the ptrace upgrade
$ cat /etc/redhat-release
Red Hat Linux release 7.3 (Valhalla)
They WERE running debian potato....
[ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
$ ./chkproc -v
PID 14: not in readdir output
PID 14: not in ps output
You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Oops, looks like someone *already* "0wn3d" the box....
$ cat /proc/14/cmdline
initauto
$ ls -al /sbin/init /sbin/telinit
- -rwxr-xr-x 1 root root 26920 Apr 19 2002 /sbin/init
- -rwxr-xr-x 1 root root 26920 Apr 19 2002 /sbin/telinit
This is a sign that the SucKit rootkit was installed
This attacker had installed a program to log passwords, and got one of mi=
ne=20
when I logged on to my servers from there. He installed an editor called =
aee=20
and a password logger that logged to /usr/lib/mem/mem
[ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
$ ls -al /usr/lib/mem/mem
- -rw--w--w- 1 root root 217782 Sep 20 23:21 /usr/lib/mem/me=
m
it has been truncated, aparently, as it was up to 3MB
$ ls -al /usr/lib/mem
total 44
- -rwxr-xr-x 1 root root 27976 Apr 9 13:31
drwxr-xr-x 2 root root 4096 Apr 24 15:26 .
drwxr-xr-x 24 root root 12288 Apr 24 15:25 ..
It seems this was done in april
The admin was notified the week after LinuxWorld
ns2.cal.net was also infected with slapper according to them (it was doin=
g=20
ssh scans of my machines at work, which are on a nearby ip block)
I'm going to bite the bullet and switch to omsoft DSL at the end of this=20
month.
I would like to see an article published in the enterprise about this, as=
I=20
am VERY annoyed that they are partly to blame for two of my systems being=
=20
cracked, and that they are allowing this intruder have free reign on thie=
r=20
system, however, I doubt the entrprise would make a store out of this. If=
=20
anyone knows of anywhere I can complain to that will bring this to the=20
attention of the public, I would be appreciative.
- --=20
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90 34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177=
BC7`
Also available at http://www.cal.net/~ryan/ryan_at_mother_dot_com.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/bUeOEd9E83IXe8cRAkkuAJ4v0Bok/Lv3pGqppxW4hXkn/r9O5wCfRTFn
OogWWYnw4zILu4koG96MsJI=3D
=3DrD6t
-----END PGP SIGNATURE-----