theos-talk.com

[MASTER INDEX] [DATE INDEX] [THREAD INDEX] [SUBJECT INDEX] [AUTHOR INDEX]

[Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: Theos-World hackers are around!

May 25, 2000 04:15 PM
by M K Ramadoss


The issue of break-in was discussed by our local linux user group and seems
to be very common occurrence. While I do not know the specific details,
everyone in the group was advising a firewall to be built. It looks it is
very easy if you are using linux.

mkr


At 07:59 PM 05/24/2000 -0700, you wrote:
>I'm posting the following message as a warning to others
>on the list. It's apparently dangerous to be connected
>to the Internet, without being careful about security,
>especially when you're online all the time with DSL.
>
>My www.mahat.com experimental server was broken into
>yesterday, then used by someone for hacking. Anyone
>have any ideas regarding how they got in, or suggestions
>on how to make sure my system is safe before I take
>it online again?
>
>-- Eldon Tucker
>
>>Date: Wed, 24 May 2000 19:42:28 -0700
>>To: trouble@pbi.net, keith@fastdata.net
>>From: Eldon B Tucker <eldon@theosophy.com>
>>Subject: fastdata.net hacker breaking into my pacbell.net computer
>>
>>This message is regarding my pacbell.net computer, mahat.com,
>>which was broken into yesterday. (Note that clancy.mahat.com
>>is an alternate name for mahat.com.) I consider this a serious
>>matter, and expect that it will be looked into.
>>
>>After getting a call at about 10:50 PM (PDT) yesterday
>>that someone's computer was being hacked into from my 
>>linux box, mahat.com, I investigated files and logs on 
>>the system, and find that my computer had been broken 
>>into and was in use by some hacker.
>>
>>Someone from 208.21.139.183 connected to my system,
>>changed the password for 'gdm', ftp'ed some files,
>>then may have connected from different computers and
>>run things -- who knows what? -- until I found out
>>about the problem and turned off the computer.
>>
>>The hacker seems to have been initally been connected
>>through a dial in port, dial183.fastdata.net, having
>>connected to my system at 22:08:10 PDT.
>>
>>A question for fastdata.net, the apparent host
>>to the hacker, and for pacbell.net, my ISP and
>>host to the machine that was broken into: Is it
>>possible, knowing a particular dial-in port and
>>time of access, to identify the particular user
>>of fastdata.net and investigate his/her activities?
>>
>>A second question for pacbell.net: Do you have
>>any suggestions as to how someone can conneted
>>and change a password without having first been
>>logged onto the system? (There's no record of a
>>telnet just prior to the password change.) I
>>don't feel safe connecting my computer to the
>>internet again, even if I change some passwords,
>>until I know how the initial break in happened.
>>
>>-- Eldon Tucker
>>
>>----
>>
>>Information that I've pieced together from various
>>files and logs follow. Lines are generally identified by the
>>file that they came from.)
>>
>>(I'm not sure if this is revelant.)
>>
>>-rwxr-xr-x   1 root     root       179260 May 23 22:28 /bin/screen
>>prw-------   1 root     root            0 May 23 22:43
/tmp/screens/S-root/7857.pts-1.clancy
>>
>>---- episode 1 (at 18:46:59)
>>
>>(I'm not sure if this is relevant.)
>>
>>00:00 clancy in.telnetd[7280]: connect from 207.114.4.46 (/var/log/messages)
>>
>>---- episode 2 (at 22:08:10 PDT)
>>
>>(This is the initial hack.)
>>
>>00:00 clancy in.telnetd[7805]: connect from 208.21.139.183
(/var/log/messages)
>>00:57 clancy PAM_pwdb[7811]: password for (gdm/42) changed by ((null)/0)
(/var/log/messages)
>>     <
gdm:$1$SOUOZBTa$jfldaf2zoxrKh9WECYkhS0:11100:0:99999:7:-1:-1:134538460
(/etc/shadow)
>>     >
gdm:$1$kWRfP1c.$PBs.7nIR4gjO1VYPUvssi.:11095:0:99999:7:-1:-1:134537332
(/etc/shadow)
>>01:39 clancy in.ftpd[7818]: connect from 208.21.139.183 (/var/log/messages)
>>01:40 clancy ftpd[7818]: FTP LOGIN FROM dial183.fastdata.net
[208.21.139.183], gdm (/var/log/messages)
>>03:03 4 dial183.fastdata.net 7449 /tmp/b.tgz b _ i r gdm ftp 0 * c
(/var/log/xferlog)
>>03:11 7 dial183.fastdata.net 10244 /tmp/z b _ i r gdm ftp 0 * c
(/var/log/xferlog)
>>03:18 5 dial183.fastdata.net 12716 /tmp/amdx b _ i r gdm ftp 0 * c
(/var/log/xferlog)
>>03:42 clancy ftpd[7818]: FTP session closed (/var/log/messages)
>>
>>---- episode 3 (at 22:35:24)
>>
>>(This is a followup hack.)
>>
>>00:00 clancy identd[7923]: Connection from madsax-1.dsl.speakeasy.net
(/var/log/messages)
>>00:01 clancy identd[7923]: from: 216.231.35.44 (
madsax-1.dsl.speakeasy.net ) for: 3065, 53 (/var/log/messages)
>>00:21 clancy identd[7924]: Connection from subaudio.mydriasis.com
(/var/log/messages)
>>00:21 clancy identd[7924]: from: 216.231.36.141 ( subaudio.mydriasis.com
) for: 1059, 53 (/var/log/messages)
>>02:46 clancy fingerd[7927]: rejected @mahat.com  (/var/log/messages)
>>02:46 clancy in.fingerd[7927]: connect from 216.231.48.154
(/var/log/messages)
>>02:51 clancy fingerd[7929]: rejected @mahat.com  (/var/log/messages)
>>02:51 clancy in.fingerd[7929]: connect from XXX.XXX.XX.XX
(/var/log/messages)
>>03:42 jonesin-0.dsl.speakeasy.net /var/spool/httpd/access_log (top webpage)
>>
>>---- call at about 22:50:00 
>>
>>I got an anonymous call by someone who won't identify himself
>>demand that I stop trying to hack into their system. The man wouldn't
>>explain what is happening, what he meant by "hack into his
>>system". I powered down my system, then booted it after work today,
>>the next day, after disconnecting the computer from the lan and
>>from the internet. 


-- THEOSOPHY WORLD -- Theosophical Talk -- theos-talk@theosophy.com

Letters to the Editor, and discussion of theosophical ideas and
teachings. To subscribe or unsubscribe, send a message consisting of
"subscribe" or "unsubscribe" to theos-talk-request@theosophy.com.


[Back to Top]


Theosophy World: Dedicated to the Theosophical Philosophy and its Practical Application