[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Was my system cracked? (retry 2)

I just realised my earlier tries at sending this message were full of
almost 300K of control characters. I am trying again. Apologies if it


Hi all--

I arrived home tonight to see the following message plastered across all my
terminal windows on my webserver, ludism.org:

Message from syslogd@ludism at Sat Sep 30 19:10:53 2000 ... ludism

"???" I thought, and checked the system logs, which read as follows for the
period in question:

Sep 30 19:04:50 ludism inetd[219]: smtp/tcp: bind: Address already in use
Sep 30 19:08:01 ludism /USR/SBIN/CRON[32062]: (mail) CMD ( if [ -x
/usr/sbin/exim -a -f /etc/exim.conf ]; then /usr/sbin/exim -q >/dev/null
2>&1; fi) Sep 30 19:09:00 ludism innd: ME time 599939 idle 599938(2)
artwrite 0(0) artlink 0(0) hiswrite 0(0) hissync 0(3) Sep 30 19:10:53 ludism
Sep 30 19:10:53 ludism syslogd: Cannot glue message parts together Sep 30
19:10:53 ludism 173>Sep 30 19:10:53 /sbin/rpc.statd[205]: gethostbyname
error for
Sep 30 19:10:53 ludism «^F/bin«F^D/shA0¿àF^Gâv^LçV^PçN^LâÛ?^KÕÄ?^AÕÄË???
Sep 30 19:14:01 ludism /USR/SBIN/CRON[32067]: (news) CMD (rnews -U) Sep 30
19:14:01 ludism innd: ME time 300548 idle 300544(2) artwrite 0(0) artlink
0(0) hiswrite 0(0) hissync 0(3)

I am far from a security expert, but it looks as though someone might have
been running some sort of shell script ("/bin/sh" appears somewhere near
the end of the garbage) via rpc. I also read the IP address
near the beginning, but can't locate that machine via host or ping.

Was this one of the famous sysklogd exploits? Yes, I was lazy and did not
upgrade until tonight, but I fear it may be too late.

I also found a file dated Friday, 22 September 2000, 6:03 PM in my /var/log
directory, reading thusly:

[...a whole lot of invisible characters...]
Ð?À9tty1F*¥9tty2ÿâã8ttyp4c1019188-a.fedwy1.wa.home.comÖd 8tty2®v

So, do you think my machine has been cracked? It looks as though they've
been trying to cover their tracks, but not doing it very well. If it is a
crack, what can I do about it apart from wiping the machine and rebuilding
from the ground up?


Ron Hale-Evans

   Ron's Info Closet: Center for Ludic Synergy, Kennexions Glass Bead Game,
    Positive Revolution FAQ, Hexagram-8 I Ching Mailing List, and links...
   Ron Hale-Evans ... rwhe@ludism.org ... <http://www.apocalypse.org/~rwhe/>
                    Further up and further in! fnord

Reply to: