* * * * *

                           Now that's darned rude!

It's 5:30. I'm with some friends when I get beeped. It's my home number. I
call. It's my roommate. His RedHat 6.0 box was hacked. What should he do?

I mention a few things to look for, but it looks bad. Who ever broke in
either got spooked, or was feeling malicious and the final two commands we
found in the .bash_history file were:

> rm -rf /var/log
> rm -rf /*
>

My roommate, Rob, [1] managed to stop it before it did more damage, but they
still wiped out /boot, /bin and parts of /dev. Using Tom's RootBoot disk [2]
he was able to survey the damage and then waited until I got home.

From what I've been able to determine, it appears that some script kiddie was
running a program to look for exploitable boxes (RedHat 6.0) because around
noon yesturday someone tried to FTP into my box and Rob's other box from
Harvard. [3] This said script kiddie then had a list of hosts to exploit
today and Rob's box was broken into and damaged around 5:30 pm EST.

Breaking in and looking around is one thing. Maliciously deleting files is
another.

[1] http://www.tragic-smurfs.com/
[2] http://www.toms.net/rb/
[3] http://www.harvard.edu/

Email author at [email protected]

You are viewing proxied material from gopher.conman.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.