* some body hacked my system
@ 2002-10-08 15:07 Sundaram Ramasamy
2002-10-08 15:24 ` Vito Louis Sansevero
` (3 more replies)
0 siblings, 4 replies; 11+ messages in thread
From: Sundaram Ramasamy @ 2002-10-08 15:07 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 933 bytes --]
Hi,
I am allowing ftp connection in my firewall, some body used ftp port, filled
my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)
Oct 8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]
he created directory named WC3 and transfed follwoing files.
bash-2.04# cd WC3
bash-2.04# ls
wc3.part01.rar.gz wc3.part07.rar.gz wc3.part13.rar.gz wc3.part19.rar.gz
wc3.part02.rar.gz wc3.part08.rar.gz wc3.part14.rar.gz wc3.part20.rar.gz
wc3.part03.rar.gz wc3.part09.rar.gz wc3.part15.rar.gz wc3.part21.rar.gz
wc3.part04.rar.gz wc3.part10.rar.gz wc3.part16.rar.gz
wc3.part05.rar.gz wc3.part11.rar.gz wc3.part17.rar.gz
wc3.part06.rar.gz wc3.part12.rar.gz wc3.part18.rar.gz
Is anybody knows what this file used for?
How will i block this IP Address in my firewall?
How will i check what else he did on my machine?
Thanks
SR
[-- Attachment #2: Type: text/html, Size: 1453 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: some body hacked my system
2002-10-08 15:07 some body hacked my system Sundaram Ramasamy
@ 2002-10-08 15:24 ` Vito Louis Sansevero
2002-10-08 15:41 ` Carlos E Gorges
` (2 subsequent siblings)
3 siblings, 0 replies; 11+ messages in thread
From: Vito Louis Sansevero @ 2002-10-08 15:24 UTC (permalink / raw)
To: Sundaram Ramasamy; +Cc: netfilter
Well it looks like to me that you gave FTP access to a friend, and he is
uploading the Warez version of "War Craft 3" in rar.gz format,
Hey dont look a gift horse in the mouth! :)
On Tue, 2002-10-08 at 08:07, Sundaram Ramasamy wrote:
> Hi,
>
> I am allowing ftp connection in my firewall, some body used ftp port,
> filled
> my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)
>
> Oct 8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
> va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]
>
> he created directory named WC3 and transfed follwoing files.
>
> bash-2.04# cd WC3
> bash-2.04# ls
> wc3.part01.rar.gz wc3.part07.rar.gz wc3.part13.rar.gz
> wc3.part19.rar.gz
> wc3.part02.rar.gz wc3.part08.rar.gz wc3.part14.rar.gz
> wc3.part20.rar.gz
> wc3.part03.rar.gz wc3.part09.rar.gz wc3.part15.rar.gz
> wc3.part21.rar.gz
> wc3.part04.rar.gz wc3.part10.rar.gz wc3.part16.rar.gz
> wc3.part05.rar.gz wc3.part11.rar.gz wc3.part17.rar.gz
> wc3.part06.rar.gz wc3.part12.rar.gz wc3.part18.rar.gz
>
> Is anybody knows what this file used for?
>
> How will i block this IP Address in my firewall?
>
> How will i check what else he did on my machine?
>
> Thanks
> SR
>
--
Vito Sansevero Unix Network Admin
<mailto:vito.sansevero@linksys.com>
The Linksys Group
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: some body hacked my system
2002-10-08 15:07 some body hacked my system Sundaram Ramasamy
2002-10-08 15:24 ` Vito Louis Sansevero
@ 2002-10-08 15:41 ` Carlos E Gorges
2002-10-08 18:36 ` Michael H. Warfield
2002-10-08 20:01 ` Maciej Soltysiak
3 siblings, 0 replies; 11+ messages in thread
From: Carlos E Gorges @ 2002-10-08 15:41 UTC (permalink / raw)
To: Sundaram Ramasamy, netfilter
On Terça 08 Outubro 2002 12:07, Sundaram Ramasamy wrote:
> Hi,
>
> I am allowing ftp connection in my firewall, some body used ftp port,
> filled my hard disk space. He logged-in from 68.65.58.159 IP
> (/var/log/message)
>
> Oct 8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
> va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]
>
> he created directory named WC3 and transfed follwoing files.
>
> bash-2.04# cd WC3
> bash-2.04# ls
> wc3.part01.rar.gz wc3.part07.rar.gz wc3.part13.rar.gz wc3.part19.rar.gz
> wc3.part02.rar.gz wc3.part08.rar.gz wc3.part14.rar.gz wc3.part20.rar.gz
> wc3.part03.rar.gz wc3.part09.rar.gz wc3.part15.rar.gz wc3.part21.rar.gz
> wc3.part04.rar.gz wc3.part10.rar.gz wc3.part16.rar.gz
> wc3.part05.rar.gz wc3.part11.rar.gz wc3.part17.rar.gz
> wc3.part06.rar.gz wc3.part12.rar.gz wc3.part18.rar.gz
Wacraft 3 warez ?
--
_________________________
Carlos E Gorges
(carlos@techlinux.com.br)
Tech informática LTDA
Brazil
_________________________
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: some body hacked my system
2002-10-08 15:07 some body hacked my system Sundaram Ramasamy
2002-10-08 15:24 ` Vito Louis Sansevero
2002-10-08 15:41 ` Carlos E Gorges
@ 2002-10-08 18:36 ` Michael H. Warfield
2002-10-08 20:01 ` Maciej Soltysiak
3 siblings, 0 replies; 11+ messages in thread
From: Michael H. Warfield @ 2002-10-08 18:36 UTC (permalink / raw)
To: Sundaram Ramasamy; +Cc: netfilter
On Tue, Oct 08, 2002 at 11:07:37AM -0400, Sundaram Ramasamy wrote:
> Hi,
> I am allowing ftp connection in my firewall, some body used ftp port, filled
> my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)
> Oct 8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
> va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]
> he created directory named WC3 and transfed follwoing files.
> bash-2.04# cd WC3
> bash-2.04# ls
> wc3.part01.rar.gz wc3.part07.rar.gz wc3.part13.rar.gz wc3.part19.rar.gz
> wc3.part02.rar.gz wc3.part08.rar.gz wc3.part14.rar.gz wc3.part20.rar.gz
> wc3.part03.rar.gz wc3.part09.rar.gz wc3.part15.rar.gz wc3.part21.rar.gz
> wc3.part04.rar.gz wc3.part10.rar.gz wc3.part16.rar.gz
> wc3.part05.rar.gz wc3.part11.rar.gz wc3.part17.rar.gz
> wc3.part06.rar.gz wc3.part12.rar.gz wc3.part18.rar.gz
> Is anybody knows what this file used for?
> How will i block this IP Address in my firewall?
> How will i check what else he did on my machine?
1) He did not "hack" your box. You invited him in by leaving
anonymous ftp enabled. He's just using you as a warez drop site. I
guess he could have told you "thanks".
2) Never never NEVER allow both read and write access to any
directories under ftp home directory. You are useless as a warez
site if his buddies can't download what he uploaded. If you want
people to be able to upload stuff, have a writable upload directory
that can not be read. Then move the stuff you want to be available for
download to a readable directory.
3) Blocking his IP isn't going to do diddley worth of good once
he tells his 10,000 buddies on IRC that he just found a fat disk with
an IP address.
4) If you want to check your system for tampering, run an rpm
verify run to check the installed system.
5) If you think he really did hack your system, run ckrootkit,
<www.chkrootkit.org> on it (read the instructions - it's very noisy
and has some false alarms - don't panic if it complains about hidden
processes, just rerun it and verify).
6) If you think he's REALLY GOOD (and he's not if he's just
flicking his bic playing with warez) then reinstall. You won't find
the good ones unless you have offline databases of your installed base
and verify using a bootable CD and verifiable software.
> Thanks
> SR
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: some body hacked my system
2002-10-08 15:07 some body hacked my system Sundaram Ramasamy
` (2 preceding siblings ...)
2002-10-08 18:36 ` Michael H. Warfield
@ 2002-10-08 20:01 ` Maciej Soltysiak
2002-10-08 21:12 ` Kevin Dwyer
3 siblings, 1 reply; 11+ messages in thread
From: Maciej Soltysiak @ 2002-10-08 20:01 UTC (permalink / raw)
To: Sundaram Ramasamy; +Cc: netfilter
> wc3.part01.rar.gz wc3.part07.rar.gz wc3.part13.rar.gz wc3.part19.rar.gz
> wc3.part02.rar.gz wc3.part08.rar.gz wc3.part14.rar.gz wc3.part20.rar.gz
> wc3.part03.rar.gz wc3.part09.rar.gz wc3.part15.rar.gz wc3.part21.rar.gz
> wc3.part04.rar.gz wc3.part10.rar.gz wc3.part16.rar.gz
> wc3.part05.rar.gz wc3.part11.rar.gz wc3.part17.rar.gz
> wc3.part06.rar.gz wc3.part12.rar.gz wc3.part18.rar.gz
>
> Is anybody knows what this file used for?
Of course. The famous, War Craft III.
> How will i block this IP Address in my firewall?
iptables -A INPUT -s <ip> -j DROP
> How will i check what else he did on my machine?
Well, maybe i did not get it right, be it looks as if someone is making
a Warez site out of your machine. The easiest way evil people exploit it
is that they use world writeable anonymous ftp servers. Check it.
If it is an intrusion, go and browse the logs, look in .bash.history,
suspicious users, processes, mc's history, again: logs. look for deleted
parts in the logs.
And download, compile and run: chkrootkit. Which looks for rootkits and
trojans in you binaries.
Good luck,
Maciej Soltysiak
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: some body hacked my system
2002-10-08 20:01 ` Maciej Soltysiak
@ 2002-10-08 21:12 ` Kevin Dwyer
2002-10-08 21:53 ` Sundaram Ramasamy
0 siblings, 1 reply; 11+ messages in thread
From: Kevin Dwyer @ 2002-10-08 21:12 UTC (permalink / raw)
To: Sundaram Ramasamy; +Cc: netfilter
On Tue, 8 Oct 2002, Maciej Soltysiak transmitted the following:
> And download, compile and run: chkrootkit. Which looks for rootkits and
> trojans in you binaries.
And check the checksums of your binaries with the ones you saved off on
disk when you finished building the machine. ;)
/* Kevin Dwyer Allegiance Internet */
/* network security engineer Commerce Center II */
/* email: Kevin.Dwyer@algx.net 7601 Ora Glen Drive */
/* phone: 240-616-2075 Greenbelt, MD 20770 */
/* >++++++++++[<++++++++++>-]<.+++++.----.[-]++++++++++. */
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: some body hacked my system
2002-10-08 21:12 ` Kevin Dwyer
@ 2002-10-08 21:53 ` Sundaram Ramasamy
2002-10-09 18:26 ` Michael H. Warfield
0 siblings, 1 reply; 11+ messages in thread
From: Sundaram Ramasamy @ 2002-10-08 21:53 UTC (permalink / raw)
To: netfilter
Thanks for all your mails, other than filling my hard disk he didn't do
anything. I am running Redhat 7.1 wu-ftpd, in my firewall I opened only
http, smtp, pop3, ftp and cvspserver ports.
Thanks
Sundaram
----- Original Message -----
From: "Kevin Dwyer" <Kevin.Dwyer@algx.net>
To: "Sundaram Ramasamy" <sun@percipia.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Tuesday, October 08, 2002 5:12 PM
Subject: Re: some body hacked my system
> On Tue, 8 Oct 2002, Maciej Soltysiak transmitted the following:
>
> > And download, compile and run: chkrootkit. Which looks for rootkits and
> > trojans in you binaries.
>
> And check the checksums of your binaries with the ones you saved off on
> disk when you finished building the machine. ;)
>
>
> /* Kevin Dwyer Allegiance Internet */
> /* network security engineer Commerce Center II */
> /* email: Kevin.Dwyer@algx.net 7601 Ora Glen Drive */
> /* phone: 240-616-2075 Greenbelt, MD 20770 */
> /* >++++++++++[<++++++++++>-]<.+++++.----.[-]++++++++++. */
>
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: some body hacked my system
2002-10-08 21:53 ` Sundaram Ramasamy
@ 2002-10-09 18:26 ` Michael H. Warfield
0 siblings, 0 replies; 11+ messages in thread
From: Michael H. Warfield @ 2002-10-09 18:26 UTC (permalink / raw)
To: Sundaram Ramasamy; +Cc: netfilter
On Tue, Oct 08, 2002 at 05:53:04PM -0400, Sundaram Ramasamy wrote:
> Thanks for all your mails, other than filling my hard disk he didn't do
> anything. I am running Redhat 7.1 wu-ftpd, in my firewall I opened only
> http, smtp, pop3, ftp and cvspserver ports.
Hmmm... Really... RedHat 7.1 huh...
What was that IP address again. /;->=>
Have you kept that very VERY up to date? 7.1 was one of those spins
with security problems from hell.
Just the i386 binary rpm updates for 7.1 are almost 380 Meg worth.
The entire update directory for 7.1 (including sources and other platforms)
is over a Gig and a half.
ftp - Yup... There's an update rpm in there for that.
smtp - Uh huh... Sendmail too.
http - You betcha... Apache problems fixed in there too.
pop3 - That's in the imap package and that's got an update.
You're at least 4 for 5 in the security hole department unless
you've updated those four to the latest rpms. On top of those, since
you are running http, you can add problems in php and possibly others
than apache can access. You didn't mention https, but that's got openssl
problems that could get you "slapped" (slapper Apache OpenSSL worm running
loose right now).
Your earlier message didn't indicate a breakin. But this one
indicates a potential for future breakins. If you are not going to
upgrade that to a more recent distro, you are going to need to be
doubly sure to keep it up to date. Running up2date and joining
RedHat networks (rhn) would probably be a good idea if you haven't
already. :-)
> Thanks
> Sundaram
> ----- Original Message -----
> From: "Kevin Dwyer" <Kevin.Dwyer@algx.net>
> To: "Sundaram Ramasamy" <sun@percipia.com>
> Cc: <netfilter@lists.netfilter.org>
> Sent: Tuesday, October 08, 2002 5:12 PM
> Subject: Re: some body hacked my system
>
>
> > On Tue, 8 Oct 2002, Maciej Soltysiak transmitted the following:
> >
> > > And download, compile and run: chkrootkit. Which looks for rootkits and
> > > trojans in you binaries.
> >
> > And check the checksums of your binaries with the ones you saved off on
> > disk when you finished building the machine. ;)
> >
> >
> > /* Kevin Dwyer Allegiance Internet */
> > /* network security engineer Commerce Center II */
> > /* email: Kevin.Dwyer@algx.net 7601 Ora Glen Drive */
> > /* phone: 240-616-2075 Greenbelt, MD 20770 */
> > /* >++++++++++[<++++++++++>-]<.+++++.----.[-]++++++++++. */
> >
> >
> >
>
--
Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: some body hacked my system
@ 2002-10-08 15:17 Keith R. Weiner
2002-10-08 22:07 ` Bob Sully
0 siblings, 1 reply; 11+ messages in thread
From: Keith R. Weiner @ 2002-10-08 15:17 UTC (permalink / raw)
To: Sundaram Ramasamy, netfilter
[-- Attachment #1: Type: text/plain, Size: 1623 bytes --]
That looks like warcraft 3 if I had to take a guess. It is a very good game. Did you try unarchiving it?
You can block his ip address, but what is stopping this person from hitting you from another ip?
Look at your ftp server. Maybe disable anonymous logins. Maybe put quotas on. Maybe see if there are any patches to your ftp daemon.
What kind of ftp server are you using? WuFTPD, ms IIS, etc...?
I'm a newbie myself, but I'd just thought that I'd put in my 2 cents.
-----Original Message-----
From: Sundaram Ramasamy [mailto:sun@percipia.com]
Sent: Tuesday, October 08, 2002 11:08 AM
To: netfilter@lists.netfilter.org
Subject: some body hacked my system
Hi,
I am allowing ftp connection in my firewall, some body used ftp port, filled
my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)
Oct 8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]
he created directory named WC3 and transfed follwoing files.
bash-2.04# cd WC3
bash-2.04# ls
wc3.part01.rar.gz wc3.part07.rar.gz wc3.part13.rar.gz wc3.part19.rar.gz
wc3.part02.rar.gz wc3.part08.rar.gz wc3.part14.rar.gz wc3.part20.rar.gz
wc3.part03.rar.gz wc3.part09.rar.gz wc3.part15.rar.gz wc3.part21.rar.gz
wc3.part04.rar.gz wc3.part10.rar.gz wc3.part16.rar.gz
wc3.part05.rar.gz wc3.part11.rar.gz wc3.part17.rar.gz
wc3.part06.rar.gz wc3.part12.rar.gz wc3.part18.rar.gz
Is anybody knows what this file used for?
How will i block this IP Address in my firewall?
How will i check what else he did on my machine?
Thanks
SR
[-- Attachment #2: Type: text/html, Size: 3435 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: some body hacked my system
2002-10-08 15:17 Keith R. Weiner
@ 2002-10-08 22:07 ` Bob Sully
0 siblings, 0 replies; 11+ messages in thread
From: Bob Sully @ 2002-10-08 22:07 UTC (permalink / raw)
To: Keith R. Weiner; +Cc: Sundaram Ramasamy, netfilter
I use ProFTPd. If you need anonymous access, set it up with
upload-only privileges (no read or download) on /incoming and do not
allow the creation of directories. Set up your other directories as
download-only. I have never had a problem with this setup.
HTH -- Bob
On Tue, 8 Oct 2002, Keith R. Weiner wrote:
> That looks like warcraft 3 if I had to take a guess. It is a very good game. Did you try unarchiving it?
>
> You can block his ip address, but what is stopping this person from hitting you from another ip?
>
> Look at your ftp server. Maybe disable anonymous logins. Maybe put quotas on. Maybe see if there are any patches to your ftp daemon.
>
> What kind of ftp server are you using? WuFTPD, ms IIS, etc...?
>
> I'm a newbie myself, but I'd just thought that I'd put in my 2 cents.
>
> -----Original Message-----
> From: Sundaram Ramasamy [mailto:sun@percipia.com]
> Sent: Tuesday, October 08, 2002 11:08 AM
> To: netfilter@lists.netfilter.org
> Subject: some body hacked my system
>
>
> Hi,
>
> I am allowing ftp connection in my firewall, some body used ftp port, filled
> my hard disk space. He logged-in from 68.65.58.159 IP (/var/log/message)
>
> Oct 8 00:57:03 linux2 ftpd[25101]: FTP LOGIN FROM
> va-staff-u1-c5a-159.frbgva.adelphia.net [68.65.58.159]
>
> he created directory named WC3 and transfed follwoing files.
>
> bash-2.04# cd WC3
> bash-2.04# ls
> wc3.part01.rar.gz wc3.part07.rar.gz wc3.part13.rar.gz wc3.part19.rar.gz
> wc3.part02.rar.gz wc3.part08.rar.gz wc3.part14.rar.gz wc3.part20.rar.gz
> wc3.part03.rar.gz wc3.part09.rar.gz wc3.part15.rar.gz wc3.part21.rar.gz
> wc3.part04.rar.gz wc3.part10.rar.gz wc3.part16.rar.gz
> wc3.part05.rar.gz wc3.part11.rar.gz wc3.part17.rar.gz
> wc3.part06.rar.gz wc3.part12.rar.gz wc3.part18.rar.gz
>
> Is anybody knows what this file used for?
>
> How will i block this IP Address in my firewall?
>
> How will i check what else he did on my machine?
>
> Thanks
> SR
>
>
>
--
________________________________________
Bob Sully - Simi Valley, California, USA
http://www.malibyte.net
"The weather is here - wish you were beautiful." - J. Buffett
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: some body hacked my system
@ 2002-10-08 17:17 Dominic Irrcher
0 siblings, 0 replies; 11+ messages in thread
From: Dominic Irrcher @ 2002-10-08 17:17 UTC (permalink / raw)
To: 'Carlos E Gorges', 'Sundaram Ramasamy',
'netfilter@lists.netfilter.org'
yes ... those do look like warcraft3 warez files !!!
if you want to block just his ip .. drop any incoming connections with the
source ip of what you posted.
keep checking your log files, might not tell you everything he did, but its
a good indication.
consider shutting off ftp .. and running sftp instead. or a better ftp
package.
HTH
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2002-10-09 18:26 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-08 15:07 some body hacked my system Sundaram Ramasamy
2002-10-08 15:24 ` Vito Louis Sansevero
2002-10-08 15:41 ` Carlos E Gorges
2002-10-08 18:36 ` Michael H. Warfield
2002-10-08 20:01 ` Maciej Soltysiak
2002-10-08 21:12 ` Kevin Dwyer
2002-10-08 21:53 ` Sundaram Ramasamy
2002-10-09 18:26 ` Michael H. Warfield
-- strict thread matches above, loose matches on Subject: below --
2002-10-08 15:17 Keith R. Weiner
2002-10-08 22:07 ` Bob Sully
2002-10-08 17:17 Dominic Irrcher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.