Theos-World hackers are around!
May 24, 2000 08:01 PM
by Eldon B Tucker
I'm posting the following message as a warning to others
on the list. It's apparently dangerous to be connected
to the Internet, without being careful about security,
especially when you're online all the time with DSL.
My www.mahat.com experimental server was broken into
yesterday, then used by someone for hacking. Anyone
have any ideas regarding how they got in, or suggestions
on how to make sure my system is safe before I take
it online again?
-- Eldon Tucker
>Date: Wed, 24 May 2000 19:42:28 -0700
>To: trouble@pbi.net, keith@fastdata.net
>From: Eldon B Tucker <eldon@theosophy.com>
>Subject: fastdata.net hacker breaking into my pacbell.net computer
>
>This message is regarding my pacbell.net computer, mahat.com,
>which was broken into yesterday. (Note that clancy.mahat.com
>is an alternate name for mahat.com.) I consider this a serious
>matter, and expect that it will be looked into.
>
>After getting a call at about 10:50 PM (PDT) yesterday
>that someone's computer was being hacked into from my
>linux box, mahat.com, I investigated files and logs on
>the system, and find that my computer had been broken
>into and was in use by some hacker.
>
>Someone from 208.21.139.183 connected to my system,
>changed the password for 'gdm', ftp'ed some files,
>then may have connected from different computers and
>run things -- who knows what? -- until I found out
>about the problem and turned off the computer.
>
>The hacker seems to have been initally been connected
>through a dial in port, dial183.fastdata.net, having
>connected to my system at 22:08:10 PDT.
>
>A question for fastdata.net, the apparent host
>to the hacker, and for pacbell.net, my ISP and
>host to the machine that was broken into: Is it
>possible, knowing a particular dial-in port and
>time of access, to identify the particular user
>of fastdata.net and investigate his/her activities?
>
>A second question for pacbell.net: Do you have
>any suggestions as to how someone can conneted
>and change a password without having first been
>logged onto the system? (There's no record of a
>telnet just prior to the password change.) I
>don't feel safe connecting my computer to the
>internet again, even if I change some passwords,
>until I know how the initial break in happened.
>
>-- Eldon Tucker
>
>----
>
>Information that I've pieced together from various
>files and logs follow. Lines are generally identified by the
>file that they came from.)
>
>(I'm not sure if this is revelant.)
>
>-rwxr-xr-x 1 root root 179260 May 23 22:28 /bin/screen
>prw------- 1 root root 0 May 23 22:43 /tmp/screens/S-root/7857.pts-1.clancy
>
>---- episode 1 (at 18:46:59)
>
>(I'm not sure if this is relevant.)
>
>00:00 clancy in.telnetd[7280]: connect from 207.114.4.46 (/var/log/messages)
>
>---- episode 2 (at 22:08:10 PDT)
>
>(This is the initial hack.)
>
>00:00 clancy in.telnetd[7805]: connect from 208.21.139.183 (/var/log/messages)
>00:57 clancy PAM_pwdb[7811]: password for (gdm/42) changed by ((null)/0) (/var/log/messages)
> < gdm:$1$SOUOZBTa$jfldaf2zoxrKh9WECYkhS0:11100:0:99999:7:-1:-1:134538460 (/etc/shadow)
> > gdm:$1$kWRfP1c.$PBs.7nIR4gjO1VYPUvssi.:11095:0:99999:7:-1:-1:134537332 (/etc/shadow)
>01:39 clancy in.ftpd[7818]: connect from 208.21.139.183 (/var/log/messages)
>01:40 clancy ftpd[7818]: FTP LOGIN FROM dial183.fastdata.net [208.21.139.183], gdm (/var/log/messages)
>03:03 4 dial183.fastdata.net 7449 /tmp/b.tgz b _ i r gdm ftp 0 * c (/var/log/xferlog)
>03:11 7 dial183.fastdata.net 10244 /tmp/z b _ i r gdm ftp 0 * c (/var/log/xferlog)
>03:18 5 dial183.fastdata.net 12716 /tmp/amdx b _ i r gdm ftp 0 * c (/var/log/xferlog)
>03:42 clancy ftpd[7818]: FTP session closed (/var/log/messages)
>
>---- episode 3 (at 22:35:24)
>
>(This is a followup hack.)
>
>00:00 clancy identd[7923]: Connection from madsax-1.dsl.speakeasy.net (/var/log/messages)
>00:01 clancy identd[7923]: from: 216.231.35.44 ( madsax-1.dsl.speakeasy.net ) for: 3065, 53 (/var/log/messages)
>00:21 clancy identd[7924]: Connection from subaudio.mydriasis.com (/var/log/messages)
>00:21 clancy identd[7924]: from: 216.231.36.141 ( subaudio.mydriasis.com ) for: 1059, 53 (/var/log/messages)
>02:46 clancy fingerd[7927]: rejected @mahat.com (/var/log/messages)
>02:46 clancy in.fingerd[7927]: connect from 216.231.48.154 (/var/log/messages)
>02:51 clancy fingerd[7929]: rejected @mahat.com (/var/log/messages)
>02:51 clancy in.fingerd[7929]: connect from XXX.XXX.XX.XX (/var/log/messages)
>03:42 jonesin-0.dsl.speakeasy.net /var/spool/httpd/access_log (top webpage)
>
>---- call at about 22:50:00
>
>I got an anonymous call by someone who won't identify himself
>demand that I stop trying to hack into their system. The man wouldn't
>explain what is happening, what he meant by "hack into his
>system". I powered down my system, then booted it after work today,
>the next day, after disconnecting the computer from the lan and
>from the internet.
-- THEOSOPHY WORLD -- Theosophical Talk -- theos-talk@theosophy.com
Letters to the Editor, and discussion of theosophical ideas and
teachings. To subscribe or unsubscribe, send a message consisting of
"subscribe" or "unsubscribe" to theos-talk-request@theosophy.com.
[Back to Top]
Theosophy World:
Dedicated to the Theosophical Philosophy and its Practical Application