[vox] cal.net rant

Mark K. Kim vox@lists.lugod.org
Sun, 21 Sep 2003 21:22:51 -0700 (PDT) 

sonic.net is quite knowledgeable, at least more than me.  They offer
nation-wide dial-up, and also DSL in SBC-serviced CA regions.  The cost is
a bit pricey, but you get 4 static IPs.

-Mark


On Sun, 21 Sep 2003, Jeff Newmiller wrote:

> On Sat, 20 Sep 2003, Ryan Castellucci wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Cal.net offers shell access to one of thier systems.
> >
> > [ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
> > $ uname -a
> > Linux shell1.cal.net 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown
> >
> > Vurnable to the ptrace upgrade
> >
> > $ cat /etc/redhat-release
> > Red Hat Linux release 7.3 (Valhalla)
> >
> > They WERE running debian potato....
> >
> > [ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
> > $ ./chkproc -v
> > PID    14: not in readdir output
> > PID    14: not in ps output
> > You have     1 process hidden for readdir command
> > You have     1 process hidden for ps command
> >
> > Oops, looks like someone *already* "0wn3d" the box....
> >
> > $ cat /proc/14/cmdline
> > initauto
> >
> > $ ls -al /sbin/init /sbin/telinit
> > - -rwxr-xr-x    1 root     root        26920 Apr 19  2002 /sbin/init
> > - -rwxr-xr-x    1 root     root        26920 Apr 19  2002 /sbin/telinit
> >
> > This is a sign that the SucKit rootkit was installed
> >
> > This attacker had installed a program to log passwords, and got one of mine
> > when I logged on to my servers from there. He installed an editor called aee
> > and a password logger that logged to /usr/lib/mem/mem
> >
> > [ryan@shell1]-[pts/0]-[~/chkrootkit-0.41]
> > $ ls -al /usr/lib/mem/mem
> > - -rw--w--w-    1 root     root       217782 Sep 20 23:21 /usr/lib/mem/mem
> >
> > it has been truncated, aparently, as it was up to 3MB
> >
> > $ ls -al /usr/lib/mem
> > total 44
> > - -rwxr-xr-x    1 root     root        27976 Apr  9 13:31
> > drwxr-xr-x    2 root     root         4096 Apr 24 15:26 .
> > drwxr-xr-x   24 root     root        12288 Apr 24 15:25 ..
> >
> > It seems this was done in april
> >
> > The admin was notified the week after LinuxWorld
> >
> > ns2.cal.net was also infected with slapper according to them (it was doing
> > ssh scans of my machines at work, which are on a nearby ip block)
> >
> > I'm going to bite the bullet and switch to omsoft DSL at the end of this
> > month.
> >
> > I would like to see an article published in the enterprise about this, as I
> > am VERY annoyed that they are partly to blame for two of my systems being
> > cracked, and that they are allowing this intruder have free reign on thier
> > system, however, I doubt the entrprise would make a store out of this. If
> > anyone knows of anywhere I can complain to that will bring this to the
> > attention of the public, I would be appreciative.
>
> I am interested to see your analysis of the problem.  Definitely not fun.
>
> However, I am not really sure why this situation is pushing you to switch
> to Omsoft.  They are linux-friendly, but not necessarily
> linux-advocates... they depend heavily on Windows NT.  Davis Community
> Network (which is sort of related to Omsoft) has two (or more?) sun boxen.
> I have an account on one of these, and while I have no information leading
> me to suspect that they are or ever have been 0wned, I would simply never
> make a backward connection into my home box from that shell account, so
> the worst that can happen through that account is defacement of my website
> or perusal of my email.  I would not be particularly happy to encounter
> defacement of my website, but I would most likely simply request the
> sysadmin to review the security of their box and change my password. (I do
> think DCN is competent to do that... you may not have even that level of
> confidence in cal.net anymore.)
>
> I like Omsoft as an ISP, but I don't have any reason to think they have
> any special claim to better security than cal.net... and I don't hold them
> even partly responsible for the integrity of my LAN.  There are too many
> ways a random computer can be doctored to make remote shell connections to
> my home box permissible to more than my laptop.
>
> ---------------------------------------------------------------------------
> Jeff Newmiller                        The     .....       .....  Go Live...
> DCN:<jdnewmil@dcn.davis.ca.us>        Basics: ##.#.       ##.#.  Live Go...
>                                       Live:   OO#.. Dead: OO#..  Playing
> Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
> /Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
> ---------------------------------------------------------------------------
>
> _______________________________________________
> vox mailing list
> vox@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox
>

-- 
Mark K. Kim
http://www.cbreak.org/
PGP key available on the website
PGP key fingerprint: 7324 BACA 53AD E504 A76E  5167 6822 94F0 F298 5DCE