[TCLUG] Re: [TCLUG:22365] Hacked

Sun Oct 8 14:53:18 CDT 2000

Yeah, I said earlier that I was seeing scans twice a week or more.  The
kiddies are pretty ballsy...last week I had a MediaOne luser that scanned
209.98.16/19 - every host on my network and all of my customers.  He would
connect to port 21, check what kind of ftpd it was running, then
disconnect.  When I reported him to MediaLose, I included all 1000 lines
of logs from the IP's my servers and network were occupying.  My LARTs
were answered with a nice "we nuked him" reply.

Some kid in Korea on an OLD linux box scanned me a couple weeks ago.  The
admins in .kr don't really care.  I almost sent him a "WE ARE WATCHING
YOU" message to his syslogd (which was open), but I didn't.  I'm going
soft, any self-respecting BOFH would've made his monitor smoke or
something.  Losin' my nerve I guess.

Adam Maloney
Systems Administrator
Sihope Communications

On Sun, 8 Oct 2000, Ben Kochie wrote:

> probably wu-ftpd, as adam mentioned.. there has been a rash of wu-ftpd
> related exploits, i saw an advisory a couple weeks ago on caldera
> 
> Thank You,
>         Ben Kochie (ben at nerp.net)
> 
> *-----------------------*  [ - * - * - * - * - * - * - * - ]
> | Unix/Linux Consulting |  [ Haiku Error Message:          ]
> |  PC/Mac Repair        |  [  Chaos reigns within.         ]
> |   Networking          |  [  Reflect, repent, and reboot. ]
> | http://nerp.net       |  [  Order shall return.          ]
> *-----------------------*  [ - * - * - * - * - * - * - * - ]
> 
>  "Unix is user friendly, Its just picky about its friends."
> 
> On Sun, 8 Oct 2000, Brian wrote:
> 
> > My system was hacked last night,  I was shut down from 10 pm until about
> > 9 this morning, when I rebooted I had a new account called pbadmin on my
> > login screen, before I just blow this acount away I would like to find
> > out how he got into my system.  Any suggestions on how to back track
> > him?
> >   I'm running caldera 2.4edesktop, with a dsl connection through a cisco
> > 675 and a netgear RT311 router.
> > 
> > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
> > For additional commands, e-mail: tclug-list-help at mn-linux.org
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
> For additional commands, e-mail: tclug-list-help at mn-linux.org
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: tclug-list-unsubscribe at mn-linux.org
For additional commands, e-mail: tclug-list-help at mn-linux.org