[vox] cal.net rant

Ryan Castellucci vox@lists.lugod.org
Sat, 20 Sep 2003 23:39:10 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cal.net offers shell access to one of thier systems.

[ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
$ uname -a
Linux shell1.cal.net 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknow=
n

Vurnable to the ptrace upgrade

$ cat /etc/redhat-release
Red Hat Linux release 7.3 (Valhalla)

They WERE running debian potato....

[ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
$ ./chkproc -v
PID    14: not in readdir output
PID    14: not in ps output
You have     1 process hidden for readdir command
You have     1 process hidden for ps command

Oops, looks like someone *already* "0wn3d" the box....

$ cat /proc/14/cmdline
initauto

$ ls -al /sbin/init /sbin/telinit
- -rwxr-xr-x    1 root     root        26920 Apr 19  2002 /sbin/init
- -rwxr-xr-x    1 root     root        26920 Apr 19  2002 /sbin/telinit

This is a sign that the SucKit rootkit was installed

This attacker had installed a program to log passwords, and got one of mi=
ne=20
when I logged on to my servers from there. He installed an editor called =
aee=20
and a password logger that logged to /usr/lib/mem/mem

[ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
$ ls -al /usr/lib/mem/mem
- -rw--w--w-    1 root     root       217782 Sep 20 23:21 /usr/lib/mem/me=
m

it has been truncated, aparently, as it was up to 3MB

$ ls -al /usr/lib/mem
total 44
- -rwxr-xr-x    1 root     root        27976 Apr  9 13:31
drwxr-xr-x    2 root     root         4096 Apr 24 15:26 .
drwxr-xr-x   24 root     root        12288 Apr 24 15:25 ..

It seems this was done in april

The admin was notified the week after LinuxWorld

ns2.cal.net was also infected with slapper according to them (it was doin=
g=20
ssh scans of my machines at work, which are on a nearby ip block)

I'm going to bite the bullet and switch to omsoft DSL at the end of this=20
month.

I would like to see an article published in the enterprise about this, as=
 I=20
am VERY annoyed that they are partly to blame for two of my systems being=
=20
cracked, and that they are allowing this intruder have free reign on thie=
r=20
system, however, I doubt the entrprise would make a store out of this. If=
=20
anyone knows of anywhere I can complain to that will bring this to the=20
attention of the public, I would be appreciative.

- --=20
PGP/GPG Fingerprint: 3B30 C6BE B1C6 9526 7A90  34E7 11DF 44F3 7217 7BC7
On pgp.mit.edu, import with `gpg --keyserver pgp.mit.edu --recv-key 72177=
BC7`
Also available at http://www.cal.net/~ryan/ryan_at_mother_dot_com.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/bUeOEd9E83IXe8cRAkkuAJ4v0Bok/Lv3pGqppxW4hXkn/r9O5wCfRTFn
OogWWYnw4zILu4koG96MsJI=3D
=3DrD6t
-----END PGP SIGNATURE-----