some body hacked my system

some body hacked my system

[Sundaram Ramasamy]

[-- Attachment #1: Type: text/plain, Size: 933 bytes --]

Hi,

I am allowing ftp connection in my firewall, some body used ftp port, filled
my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)

Oct  8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]

he created directory named WC3 and transfed follwoing files.

bash-2.04# cd WC3
bash-2.04# ls
wc3.part01.rar.gz  wc3.part07.rar.gz  wc3.part13.rar.gz  wc3.part19.rar.gz
wc3.part02.rar.gz  wc3.part08.rar.gz  wc3.part14.rar.gz  wc3.part20.rar.gz
wc3.part03.rar.gz  wc3.part09.rar.gz  wc3.part15.rar.gz  wc3.part21.rar.gz
wc3.part04.rar.gz  wc3.part10.rar.gz  wc3.part16.rar.gz
wc3.part05.rar.gz  wc3.part11.rar.gz  wc3.part17.rar.gz
wc3.part06.rar.gz  wc3.part12.rar.gz  wc3.part18.rar.gz

Is anybody knows what this file used for?

How will i block this IP Address in my firewall?

How will i check what else he did on my machine?

Thanks
SR


[-- Attachment #2: Type: text/html, Size: 1453 bytes --]

RE: some body hacked my system

[Keith R. Weiner]

[-- Attachment #1: Type: text/plain, Size: 1623 bytes --]

That looks like warcraft 3 if I had to take a guess.  It is a very good game. Did you try unarchiving it?
 
You can block his ip address, but what is stopping this person from hitting you from another ip?
 
Look at your ftp server.  Maybe disable anonymous logins. Maybe put quotas on.  Maybe see if there are any patches to your ftp daemon.
 
What kind of ftp server are you using?  WuFTPD, ms IIS, etc...?
 
I'm a newbie myself, but I'd just thought that I'd put in my 2 cents.

-----Original Message-----
From: Sundaram Ramasamy [mailto:sun@percipia.com]
Sent: Tuesday, October 08, 2002 11:08 AM
To: netfilter@lists.netfilter.org
Subject: some body hacked my system


Hi,

I am allowing ftp connection in my firewall, some body used ftp port, filled
my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)

Oct  8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]

he created directory named WC3 and transfed follwoing files.

bash-2.04# cd WC3
bash-2.04# ls
wc3.part01.rar.gz  wc3.part07.rar.gz  wc3.part13.rar.gz  wc3.part19.rar.gz
wc3.part02.rar.gz  wc3.part08.rar.gz  wc3.part14.rar.gz  wc3.part20.rar.gz
wc3.part03.rar.gz  wc3.part09.rar.gz  wc3.part15.rar.gz  wc3.part21.rar.gz
wc3.part04.rar.gz  wc3.part10.rar.gz  wc3.part16.rar.gz
wc3.part05.rar.gz  wc3.part11.rar.gz  wc3.part17.rar.gz
wc3.part06.rar.gz  wc3.part12.rar.gz  wc3.part18.rar.gz

Is anybody knows what this file used for?

How will i block this IP Address in my firewall?

How will i check what else he did on my machine?

Thanks
SR



[-- Attachment #2: Type: text/html, Size: 3435 bytes --]

Re: some body hacked my system

[Vito Louis Sansevero]

Well it looks like to me that you gave FTP access to a friend, and he is
uploading the Warez version of "War Craft 3" in rar.gz format, 

Hey dont look a gift horse in the mouth! :)



On Tue, 2002-10-08 at 08:07, Sundaram Ramasamy wrote:
> Hi,
> 
> I am allowing ftp connection in my firewall, some body used ftp port,
> filled
> my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)
> 
> Oct  8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
> va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]
> 
> he created directory named WC3 and transfed follwoing files.
> 
> bash-2.04# cd WC3
> bash-2.04# ls
> wc3.part01.rar.gz  wc3.part07.rar.gz  wc3.part13.rar.gz
> wc3.part19.rar.gz
> wc3.part02.rar.gz  wc3.part08.rar.gz  wc3.part14.rar.gz
> wc3.part20.rar.gz
> wc3.part03.rar.gz  wc3.part09.rar.gz  wc3.part15.rar.gz
> wc3.part21.rar.gz
> wc3.part04.rar.gz  wc3.part10.rar.gz  wc3.part16.rar.gz
> wc3.part05.rar.gz  wc3.part11.rar.gz  wc3.part17.rar.gz
> wc3.part06.rar.gz  wc3.part12.rar.gz  wc3.part18.rar.gz
> 
> Is anybody knows what this file used for?
> 
> How will i block this IP Address in my firewall?
> 
> How will i check what else he did on my machine?
> 
> Thanks
> SR
> 
-- 
Vito Sansevero  Unix Network Admin
<mailto:vito.sansevero@linksys.com>
The Linksys Group

Re: some body hacked my system

[Carlos E Gorges]

On Terça 08 Outubro 2002 12:07, Sundaram Ramasamy wrote:
> Hi,
>
> I am allowing ftp connection in my firewall, some body used ftp port,
> filled my hard disk space. He logged-in from 68.65.58.159 IP
> (/var/log/message)
>
> Oct  8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
> va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]
>
> he created directory named WC3 and transfed follwoing files.
>
> bash-2.04# cd WC3
> bash-2.04# ls
> wc3.part01.rar.gz  wc3.part07.rar.gz  wc3.part13.rar.gz  wc3.part19.rar.gz
> wc3.part02.rar.gz  wc3.part08.rar.gz  wc3.part14.rar.gz  wc3.part20.rar.gz
> wc3.part03.rar.gz  wc3.part09.rar.gz  wc3.part15.rar.gz  wc3.part21.rar.gz
> wc3.part04.rar.gz  wc3.part10.rar.gz  wc3.part16.rar.gz
> wc3.part05.rar.gz  wc3.part11.rar.gz  wc3.part17.rar.gz
> wc3.part06.rar.gz  wc3.part12.rar.gz  wc3.part18.rar.gz

Wacraft 3 warez ?

-- 
	 _________________________
	 Carlos E Gorges          
	 (carlos@techlinux.com.br)
	 Tech informática LTDA
	 Brazil                   
	 _________________________

RE: some body hacked my system

[Dominic Irrcher]

yes ... those do look like warcraft3 warez files !!!

if you want to block just his ip .. drop any incoming connections with the
source ip of what you posted.

keep checking your log files, might not tell you everything he did, but its
a good indication.

consider shutting off ftp .. and running sftp instead. or a better ftp
package.

HTH

Re: some body hacked my system

[Michael H. Warfield]

On Tue, Oct 08, 2002 at 11:07:37AM -0400, Sundaram Ramasamy wrote:
> Hi,

> I am allowing ftp connection in my firewall, some body used ftp port, filled
> my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)

> Oct  8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
> va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]

> he created directory named WC3 and transfed follwoing files.

> bash-2.04# cd WC3
> bash-2.04# ls
> wc3.part01.rar.gz  wc3.part07.rar.gz  wc3.part13.rar.gz  wc3.part19.rar.gz
> wc3.part02.rar.gz  wc3.part08.rar.gz  wc3.part14.rar.gz  wc3.part20.rar.gz
> wc3.part03.rar.gz  wc3.part09.rar.gz  wc3.part15.rar.gz  wc3.part21.rar.gz
> wc3.part04.rar.gz  wc3.part10.rar.gz  wc3.part16.rar.gz
> wc3.part05.rar.gz  wc3.part11.rar.gz  wc3.part17.rar.gz
> wc3.part06.rar.gz  wc3.part12.rar.gz  wc3.part18.rar.gz

> Is anybody knows what this file used for?

> How will i block this IP Address in my firewall?

> How will i check what else he did on my machine?

	1) He did not "hack" your box.  You invited him in by leaving
anonymous ftp enabled.  He's just using you as a warez drop site.  I
guess he could have told you "thanks".

	2) Never never NEVER allow both read and write access to any
directories under ftp home directory.  You are useless as a warez
site if his buddies can't download what he uploaded.  If you want
people to be able to upload stuff, have a writable upload directory
that can not be read.  Then move the stuff you want to be available for
download to a readable directory.

	3) Blocking his IP isn't going to do diddley worth of good once
he tells his 10,000 buddies on IRC that he just found a fat disk with
an IP address.

	4) If you want to check your system for tampering, run an rpm
verify run to check the installed system.

	5) If you think he really did hack your system, run ckrootkit,
<www.chkrootkit.org> on it (read the instructions - it's very noisy
and has some false alarms - don't panic if it complains about hidden
processes, just rerun it and verify).

	6) If you think he's REALLY GOOD (and he's not if he's just
flicking his bic playing with warez) then reinstall.  You won't find
the good ones unless you have offline databases of your installed base
and verify using a bootable CD and verifiable software.

> Thanks
> SR

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Re: some body hacked my system

[Maciej Soltysiak]

> wc3.part01.rar.gz  wc3.part07.rar.gz  wc3.part13.rar.gz  wc3.part19.rar.gz
> wc3.part02.rar.gz  wc3.part08.rar.gz  wc3.part14.rar.gz  wc3.part20.rar.gz
> wc3.part03.rar.gz  wc3.part09.rar.gz  wc3.part15.rar.gz  wc3.part21.rar.gz
> wc3.part04.rar.gz  wc3.part10.rar.gz  wc3.part16.rar.gz
> wc3.part05.rar.gz  wc3.part11.rar.gz  wc3.part17.rar.gz
> wc3.part06.rar.gz  wc3.part12.rar.gz  wc3.part18.rar.gz
>
> Is anybody knows what this file used for?
Of course. The famous, War Craft III.

> How will i block this IP Address in my firewall?
iptables -A INPUT -s <ip> -j DROP

> How will i check what else he did on my machine?
Well, maybe i did not get it right, be it looks as if someone is making
a Warez site out of your machine. The easiest way evil people exploit it
is that they use world writeable anonymous ftp servers. Check it.

If it is an intrusion, go and browse the logs, look in .bash.history,
suspicious users, processes, mc's history, again: logs. look for deleted
parts in the logs.

And download, compile and run: chkrootkit. Which looks for rootkits and
trojans in you binaries.

Good luck,
Maciej Soltysiak

Re: some body hacked my system

[Kevin Dwyer]

On Tue, 8 Oct 2002, Maciej Soltysiak transmitted the following:

> And download, compile and run: chkrootkit. Which looks for rootkits and
> trojans in you binaries.

And check the checksums of your binaries with the ones you saved off on
disk when you finished building the machine.  ;)


/* Kevin Dwyer                                Allegiance Internet */
/* network security engineer                   Commerce Center II */
/* email: Kevin.Dwyer@algx.net                7601 Ora Glen Drive */
/* phone: 240-616-2075                        Greenbelt, MD 20770 */
/*      >++++++++++[<++++++++++>-]<.+++++.----.[-]++++++++++.     */

Re: some body hacked my system

[Sundaram Ramasamy]

Thanks for all your mails, other than filling my hard disk he didn't do
anything. I am running Redhat 7.1 wu-ftpd, in my firewall I opened only
http, smtp, pop3, ftp and cvspserver ports.

Thanks
Sundaram


----- Original Message -----
From: "Kevin Dwyer" <Kevin.Dwyer@algx.net>
To: "Sundaram Ramasamy" <sun@percipia.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Tuesday, October 08, 2002 5:12 PM
Subject: Re: some body hacked my system


> On Tue, 8 Oct 2002, Maciej Soltysiak transmitted the following:
>
> > And download, compile and run: chkrootkit. Which looks for rootkits and
> > trojans in you binaries.
>
> And check the checksums of your binaries with the ones you saved off on
> disk when you finished building the machine.  ;)
>
>
> /* Kevin Dwyer                                Allegiance Internet */
> /* network security engineer                   Commerce Center II */
> /* email: Kevin.Dwyer@algx.net                7601 Ora Glen Drive */
> /* phone: 240-616-2075                        Greenbelt, MD 20770 */
> /*      >++++++++++[<++++++++++>-]<.+++++.----.[-]++++++++++.     */
>
>
>

RE: some body hacked my system

[Bob Sully]

I use ProFTPd.  If you need anonymous access, set it up with 
upload-only privileges (no read or download) on /incoming and do not 
allow the creation of directories.  Set up your other directories as 
download-only.  I have never had a problem with this setup.

HTH -- Bob


On Tue, 8 Oct 2002, Keith R. Weiner wrote:

> That looks like warcraft 3 if I had to take a guess.  It is a very good game. Did you try unarchiving it?
>  
> You can block his ip address, but what is stopping this person from hitting you from another ip?
>  
> Look at your ftp server.  Maybe disable anonymous logins. Maybe put quotas on.  Maybe see if there are any patches to your ftp daemon.
>  
> What kind of ftp server are you using?  WuFTPD, ms IIS, etc...?
>  
> I'm a newbie myself, but I'd just thought that I'd put in my 2 cents.
> 
> -----Original Message-----
> From: Sundaram Ramasamy [mailto:sun@percipia.com]
> Sent: Tuesday, October 08, 2002 11:08 AM
> To: netfilter@lists.netfilter.org
> Subject: some body hacked my system
> 
> 
> Hi,
> 
> I am allowing ftp connection in my firewall, some body used ftp port, filled
> my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)
> 
> Oct  8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
> va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]
> 
> he created directory named WC3 and transfed follwoing files.
> 
> bash-2.04# cd WC3
> bash-2.04# ls
> wc3.part01.rar.gz  wc3.part07.rar.gz  wc3.part13.rar.gz  wc3.part19.rar.gz
> wc3.part02.rar.gz  wc3.part08.rar.gz  wc3.part14.rar.gz  wc3.part20.rar.gz
> wc3.part03.rar.gz  wc3.part09.rar.gz  wc3.part15.rar.gz  wc3.part21.rar.gz
> wc3.part04.rar.gz  wc3.part10.rar.gz  wc3.part16.rar.gz
> wc3.part05.rar.gz  wc3.part11.rar.gz  wc3.part17.rar.gz
> wc3.part06.rar.gz  wc3.part12.rar.gz  wc3.part18.rar.gz
> 
> Is anybody knows what this file used for?
> 
> How will i block this IP Address in my firewall?
> 
> How will i check what else he did on my machine?
> 
> Thanks
> SR
> 
> 
> 

-- 
________________________________________
Bob Sully - Simi Valley, California, USA
http://www.malibyte.net

"The weather is here - wish you were beautiful." - J. Buffett

Re: some body hacked my system

[Michael H. Warfield]

On Tue, Oct 08, 2002 at 05:53:04PM -0400, Sundaram Ramasamy wrote:
> Thanks for all your mails, other than filling my hard disk he didn't do
> anything. I am running Redhat 7.1 wu-ftpd, in my firewall I opened only
> http, smtp, pop3, ftp and cvspserver ports.

	Hmmm...  Really...  RedHat 7.1 huh...

	What was that IP address again.  /;->=>

	Have you kept that very VERY up to date?  7.1 was one of those spins
with security problems from hell.

	Just the i386 binary rpm updates for 7.1 are almost 380 Meg worth.
The entire update directory for 7.1 (including sources and other platforms)
is over a Gig and a half.

	ftp	- Yup...  There's an update rpm in there for that.
	smtp	- Uh huh...  Sendmail too.
	http	- You betcha...  Apache problems fixed in there too.
	pop3	- That's in the imap package and that's got an update.

	You're at least 4 for 5 in the security hole department unless
you've updated those four to the latest rpms.  On top of those, since
you are running http, you can add problems in php and possibly others
than apache can access.  You didn't mention https, but that's got openssl
problems that could get you "slapped" (slapper Apache OpenSSL worm running
loose right now).

	Your earlier message didn't indicate a breakin.  But this one
indicates a potential for future breakins.  If you are not going to
upgrade that to a more recent distro, you are going to need to be
doubly sure to keep it up to date.  Running up2date and joining
RedHat networks (rhn) would probably be a good idea if you haven't
already.  :-)

> Thanks
> Sundaram


> ----- Original Message -----
> From: "Kevin Dwyer" <Kevin.Dwyer@algx.net>
> To: "Sundaram Ramasamy" <sun@percipia.com>
> Cc: <netfilter@lists.netfilter.org>
> Sent: Tuesday, October 08, 2002 5:12 PM
> Subject: Re: some body hacked my system
> 
> 
> > On Tue, 8 Oct 2002, Maciej Soltysiak transmitted the following:
> >
> > > And download, compile and run: chkrootkit. Which looks for rootkits and
> > > trojans in you binaries.
> >
> > And check the checksums of your binaries with the ones you saved off on
> > disk when you finished building the machine.  ;)
> >
> >
> > /* Kevin Dwyer                                Allegiance Internet */
> > /* network security engineer                   Commerce Center II */
> > /* email: Kevin.Dwyer@algx.net                7601 Ora Glen Drive */
> > /* phone: 240-616-2075                        Greenbelt, MD 20770 */
> > /*      >++++++++++[<++++++++++>-]<.+++++.----.[-]++++++++++.     */
> >
> >
> >
> 

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!