Help me analysis what did hacker do?

Dagmar d'Surreal dagmar.wants at nospam.com
Thu Jul 17 14:18:31 PDT 2003


On Thu, 2003-07-17 at 09:26, Heiko Vogel wrote:
> Dagmar d'Surreal wrote:
> 
> > Oh, and the hacker didn't _need_ to change the password for root, they
> > already managed to get in.  j00 w3r3 0wn3d.
>  ^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> What makes you believe that ?
> Is it the case of the .bash_history lying around in / ?
> Well, this could be a proof for a succesful hack, because only 
> root has write access to /. 

You have answered your own question.  Enlightenment is upon you...

> (But the contents of the .bash_history are not a proof!!!)

...okay, maybe not.  Dude, files don't get written to places like / on
accident, ever.  That would be the sign of a horrifyingly unstable
system.  Unless Mr. Liu simply didn't recognize a bunch of his own
commands, the file is very likely one left behind by a completely
clueless script kiddie, and if it's there, they were logged in.

> So my question for the original poster: 
> 1. Did the .bash_history really lie around in /, or was it in a 
>    subdirectory ?
> 2. Who was the owner of that file -- which group did it belong to ?
> 
> For me the whole looks like a UNIX-newbie who tried something he had 
> read about in his brand-new "linux hackers guide".

...and to startle the hell out of most of the list, since Mr. Liu
mentioned this was a Redhat box, if it was RH 6.2 (terrifyingly enough
rather common in some asian countries--AlZZa is terrible), pretty much
every network service has a published exploit, and the same goes for the
7.x series as well.  8.x is less problematic, but this is probably just
a function of how long it's been out.  Unless you update your service
binaries regularly, expect to get spanked by script kiddies.  (I somehow
doubt the machine was receiving the attention and care it needed)
-- 
The email address above is just as phony as it looks, and for obvious reasons.
Instant messaging contact nfo: AIM: evilDagmar  Jabber: evilDagmar at jabber.org

-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe lfs-security' in the subject header of the message



More information about the lfs-security mailing list