Re: [TCLUG:22365] Hacked

To: tclug-list <tclug-list@mn-linux.org>
Subject: Re: [TCLUG:22365] Hacked
From: Adam Maloney <adamm@sihope.com>
Date: Sun, 8 Oct 2000 14:53:18 -0500 (CDT)
In-Reply-To: <Pine.LNX.4.21.0010081424100.21122-100000@chef.nerp.net>

Yeah, I said earlier that I was seeing scans twice a week or more.  The
kiddies are pretty ballsy...last week I had a MediaOne luser that scanned
209.98.16/19 - every host on my network and all of my customers.  He would
connect to port 21, check what kind of ftpd it was running, then
disconnect.  When I reported him to MediaLose, I included all 1000 lines
of logs from the IP's my servers and network were occupying.  My LARTs
were answered with a nice "we nuked him" reply.

Some kid in Korea on an OLD linux box scanned me a couple weeks ago.  The
admins in .kr don't really care.  I almost sent him a "WE ARE WATCHING
YOU" message to his syslogd (which was open), but I didn't.  I'm going
soft, any self-respecting BOFH would've made his monitor smoke or
something.  Losin' my nerve I guess.

Adam Maloney
Systems Administrator
Sihope Communications

On Sun, 8 Oct 2000, Ben Kochie wrote:

> probably wu-ftpd, as adam mentioned.. there has been a rash of wu-ftpd
> related exploits, i saw an advisory a couple weeks ago on caldera
> 
> Thank You,
>         Ben Kochie (ben@nerp.net)
> 
> *-----------------------*  [ - * - * - * - * - * - * - * - ]
> | Unix/Linux Consulting |  [ Haiku Error Message:          ]
> |  PC/Mac Repair        |  [  Chaos reigns within.         ]
> |   Networking          |  [  Reflect, repent, and reboot. ]
> | http://nerp.net       |  [  Order shall return.          ]
> *-----------------------*  [ - * - * - * - * - * - * - * - ]
> 
>  "Unix is user friendly, Its just picky about its friends."
> 
> On Sun, 8 Oct 2000, Brian wrote:
> 
> > My system was hacked last night,  I was shut down from 10 pm until about
> > 9 this morning, when I rebooted I had a new account called pbadmin on my
> > login screen, before I just blow this acount away I would like to find
> > out how he got into my system.  Any suggestions on how to back track
> > him?
> >   I'm running caldera 2.4edesktop, with a dsl connection through a cisco
> > 675 and a netgear RT311 router.
> > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> > For additional commands, e-mail: tclug-list-help@mn-linux.org
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
> 
>

Follow-Ups:
- Re: [TCLUG:22365] Hacked
  - From: Callum Lerwick <lerwick@tcfreenet.org>

References:
- Re: [TCLUG:22365] Hacked
  - From: Ben Kochie <ben@nerp.net>

Prev by Date: RE: [TCLUG:22353] Slackware/Caldera/Installfest/kPPP
Next by Date: RE: [TCLUG:22365] Hacked
Prev by thread: Re: [TCLUG:22365] Hacked
Next by thread: Re: [TCLUG:22365] Hacked
Index(es):
- Date
- Thread