Sunday, January 27, 2002

#title tracing

So now I have a rootkit, a few ip addresses, traffic logs, and a yahoo email address.

Any ideas on what to do with it all?       

#title crackable server

Well, it had to happen sooner or later. One of my servers got cracked because I wasn't up to date on updating public services, in this case OpenSSH. Looks like an automated probe, followed by a rootkit that included a kernel module that hid a few processes and files. But they made a few mistakes.

1) That particular server was an email black hole, used for testing purposes, so their "I'm here" email is still in the queue somewhere. (sent to yahoo)

2) They didn't erase the logs, so I know when and from where they attacked and accessed the server. (u texas)

3) They installed their own version of sshd, called sshdu which knocked mine off, so I couldn't login. (that's how I noticed it). They might have had root, but I had console.

4) Their kernel module didn't work, so I saw that the ethernet card was in promicious mode and that there was a program called linsniffer running. Didn't do them much good though, since that machine was on a switch, not a hub.

So it's all off line till I figure out how much detective work I want to do and if any of them can be caught. And I have to rebuild a machine that I was considering rebuilding anyway.

But the prime function of this particular machine was to be my audio-on-demand mp3 server. grrr. So I'm back to uncrackable audio, specifically a Thorens td 160. It's so crack proof, it's analog. Spins 12" groovy black disks.       


© Copyright 2002 Eric Soroos, eric-ul@soroos.net.
Last update: 2/1/02; 9:37:34 AM.
Css stolen from http://bluerobot.com