[vox] cal.net rant
Jeff Newmiller
vox@lists.lugod.org
Sun, 21 Sep 2003 19:40:06 -0700 (PDT)
On Sat, 20 Sep 2003, Ryan Castellucci wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Cal.net offers shell access to one of thier systems.
>
> [ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
> $ uname -a
> Linux shell1.cal.net 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
>
> Vurnable to the ptrace upgrade
>
> $ cat /etc/redhat-release
> Red Hat Linux release 7.3 (Valhalla)
>
> They WERE running debian potato....
>
> [ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
> $ ./chkproc -v
> PID 14: not in readdir output
> PID 14: not in ps output
> You have 1 process hidden for readdir command
> You have 1 process hidden for ps command
>
> Oops, looks like someone *already* "0wn3d" the box....
>
> $ cat /proc/14/cmdline
> initauto
>
> $ ls -al /sbin/init /sbin/telinit
> - -rwxr-xr-x 1 root root 26920 Apr 19 2002 /sbin/init
> - -rwxr-xr-x 1 root root 26920 Apr 19 2002 /sbin/telinit
>
> This is a sign that the SucKit rootkit was installed
>
> This attacker had installed a program to log passwords, and got one of mine
> when I logged on to my servers from there. He installed an editor called aee
> and a password logger that logged to /usr/lib/mem/mem
>
> [ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
> $ ls -al /usr/lib/mem/mem
> - -rw--w--w- 1 root root 217782 Sep 20 23:21 /usr/lib/mem/mem
>
> it has been truncated, aparently, as it was up to 3MB
>
> $ ls -al /usr/lib/mem
> total 44
> - -rwxr-xr-x 1 root root 27976 Apr 9 13:31
> drwxr-xr-x 2 root root 4096 Apr 24 15:26 .
> drwxr-xr-x 24 root root 12288 Apr 24 15:25 ..
>
> It seems this was done in april
>
> The admin was notified the week after LinuxWorld
>
> ns2.cal.net was also infected with slapper according to them (it was doing
> ssh scans of my machines at work, which are on a nearby ip block)
>
> I'm going to bite the bullet and switch to omsoft DSL at the end of this
> month.
>
> I would like to see an article published in the enterprise about this, as I
> am VERY annoyed that they are partly to blame for two of my systems being
> cracked, and that they are allowing this intruder have free reign on thier
> system, however, I doubt the entrprise would make a store out of this. If
> anyone knows of anywhere I can complain to that will bring this to the
> attention of the public, I would be appreciative.
I am interested to see your analysis of the problem. Definitely not fun.
However, I am not really sure why this situation is pushing you to switch
to Omsoft. They are linux-friendly, but not necessarily
linux-advocates... they depend heavily on Windows NT. Davis Community
Network (which is sort of related to Omsoft) has two (or more?) sun boxen.
I have an account on one of these, and while I have no information leading
me to suspect that they are or ever have been 0wned, I would simply never
make a backward connection into my home box from that shell account, so
the worst that can happen through that account is defacement of my website
or perusal of my email. I would not be particularly happy to encounter
defacement of my website, but I would most likely simply request the
sysadmin to review the security of their box and change my password. (I do
think DCN is competent to do that... you may not have even that level of
confidence in cal.net anymore.)
I like Omsoft as an ISP, but I don't have any reason to think they have
any special claim to better security than cal.net... and I don't hold them
even partly responsible for the integrity of my LAN. There are too many
ways a random computer can be doctored to make remote shell connections to
my home box permissible to more than my laptop.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<jdnewmil@dcn.davis.ca.us> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------