From: Peter Unmack (peter@fish.la.asu.edu)
Date: Sun Apr 25 2004 - 19:52:08 EDT
G'day folks
Today I discoved my machine had been hacked into. I am running a 712/60
with hp-ux 10.2. For the most part this is a low use machine that I use
for personal stuff such as email and as a web server. For the most part I
am a fish biologist, not a computer guru, so please assume I am moderately
stupid when it comes to unix management. The machine has not been
patched.
The first thing I noticed was I could no longer ftp or telnet to my
machine from any pcs around the place. I rebooted the machine which
obviously didn't fix the problem. Then I looked around in SAM and found
out my ftp access had been disabled (which I had been doing only a few
minutes before I lost access). Then I looked in the OLDsyslog.log and
found someone had gotten in. The syslog entries is as follows:
Apr 25 11:10:12 fish ftpd[24277]: connection from db2-om.ssdtgsm.com at
Sun Apr 25 11:10:12 2004
Apr 25 11:34:58 fish syslog: su : + ttyp1 l0l-lol
Apr 25 11:36:07 fish inetd[667]: Rereading configuration
Apr 25 11:36:07 fish inetd[667]: netbios-ns/udp: Deleted service
Apr 25 11:36:07 fish inetd[667]: netbios-ssn/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: swat/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: spc/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: recserv/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: rpc.cmsd/udp: Deleted service
Apr 25 11:36:07 fish inetd[667]: dtspc/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: rpc.ttdbserver/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: klogin/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: kshell/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: chargen/udp: Deleted service
Apr 25 11:36:07 fish inetd[667]: chargen/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: discard/udp: Deleted service
Apr 25 11:36:07 fish inetd[667]: discard/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: echo/udp: Deleted service
Apr 25 11:36:07 fish inetd[667]: echo/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: time/udp: Deleted service
Apr 25 11:36:07 fish inetd[667]: time/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: daytime/udp: Deleted service
Apr 25 11:36:07 fish inetd[667]: daytime/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: printer/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: auth/tcp: Deleted service
Apr 25 11:36:07 fish inetd[667]: ntalk/udp: Deleted service
Apr 25 11:36:07 fish inetd[667]: exec/tcp: Deleted service
Apr 25 11:36:08 fish inetd[667]: shell/tcp: Deleted service
Apr 25 11:36:08 fish inetd[667]: login/tcp: Deleted service
Apr 25 11:36:08 fish inetd[667]: telnet/tcp: Deleted service
Apr 25 11:36:08 fish inetd[667]: ftp/tcp: Deleted service
Apr 25 11:36:08 fish inetd[667]: Configuration complete
Apr 25 11:45:34 fish xntpd[933]: offset 0.000000 freq 0.00000 comp 0
Apr 25 12:45:34 fish xntpd[933]: offset 0.000000 freq 0.00000 comp 0
Apr 25 13:45:34 fish xntpd[933]: offset 0.000000 freq 0.00000 comp 0
Apr 25 14:45:34 fish xntpd[933]: offset 0.000000 freq 0.00000 comp 0
Apr 25 15:32:54 fish syslog: libtt[23150]: _Tt_rpc_client::init():
fcntl(F_SETFD): m
Apr 25 15:32:54 fish syslog: libtt[23151]: _Tt_rpc_client::init():
fcntl(F_SETFD): m
Apr 25 15:32:54 fish syslog: libtt[23150]: ttdt_Xt_input_handler():
tttk_message_receive(): TT_ERR_NOMP^INo ttsession process is running,
probably because tt_open() has not been called yet. If this code is
returned from tt_open() it means ttsession could not be started, which
generally means ToolTalk is not installed on this system.
Apr 25 15:32:55 fish syslog: libtt[23151]: ttdt_Xt_input_handler():
tttk_message_receive(): TT_ERR_NOMP^INo ttsession process is running,
probably because tt_open() has not been called yet. If this code is
returned from tt_open() it means ttsession could not be started, which
generally means ToolTalk is not installed on this system.
Next step I started looking around in my list of users and discovered
three had been added, lol, l0l, lolza. (when I do a google search on
lolza there seems to be lots of foreign stuff that seems to relate to sex
sites). I tried to deactive all three users, but l0l could not be
deactived because there were logged in (although I could not finger that
user or find any processes via ps -ef being run by them). In each case
their home directory was listed as /tmp, so I took a look there and they
had created a directory called .mail which had the following contents;
CHANGES
COPYING
FAQ
Makefile
README
TODO
USER3.LOG
config.h
dtgreet
help
log
makefile.out
makesalt
menuconf
motd
psybnc.conf
psybnc.conf.old
psybnc.pid
psybncchk
salt.h
scripts
src
targets.mak
tools
When I looked at the USER3.LOG file I found
~Sun Apr 25 12:23:28 :(CopdRd!~CopaneLc@Kappa.NetClub.Customer.Bz.iNES.Ro)
<etx>4Hey if you wanna take a look at:<etx>10 WWW.Geocities.com/spaciba
Julia is Naked :o)
~Sun Apr 25 12:23:40 :(dulcyk!lucya@80.97.245.92) hy
~Sun Apr 25 13:31:43 :(c|pr|an!~vndfvkfd@213.233.110.113) sal
~Sun Apr 25 13:31:48 :(c|pr|an!~vndfvkfd@213.233.110.113) inveti in lic 1
~Sun Apr 25 13:41:09 :(X!cservice@undernet.org) (codrut) prea multe
beneceuri. next ban
~Sun Apr 25 13:43:33 :(X!cservice@undernet.org) (codrut) prea multe
beneceuri. next ban
The first thing I did was copy /tmp/.mail to another directory then
deleted /tmp/.mail. I then changed the root password and added
/etc/securetty with /dev/console.
I'm not totally sure that that cut off their access since I don't really
know how they got in, nor exactly when those users were created.
I guess my main question is how do I prevent this and undo their changes?
Also, should I bother to alert anyone to this breakin or will it be a
waste of time? Any suggestions would be greatly appreciated.
Thanks
Peter Unmack
--
---> Please post QUESTIONS and SUMMARIES only!! <---
To subscribe/unsubscribe to this list, contact majordomo@dutchworks.nl
Name: hpux-admin@dutchworks.nl Owner: owner-hpux-admin@dutchworks.nl
Archives: ftp.dutchworks.nl:/pub/digests/hpux-admin (FTP, browse only)
http://www.dutchworks.nl/htbin/hpsysadmin (Web, browse & search)
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 11:02:40 EDT