This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
Subject: More hacked server questions From: Kerry Miller <kerry.miller@duralinetx.com> Date: Wed, 20 Sep 2000 14:07:45 -0500 I've been tinkering with that server a little, got the logging working (at least partially) and have gotten a lot of interesting IP addresses in the log. I'm tightening it up to stop them from hacking other people's systems with it, and I don't even begin to know where to look for any software they may have installed yet (other than their porn web server). Other than the IP addresses, I found this earlier today after I edited the hosts.allow and deny files: Sep 20 11:06:14 HOST2 portmap[25317]: connect from 209.84.178.11 to dump(): request from unauthorized host What does this dump() mean? Is it doing any damage? Maybe this is somebody looking for an open port, but I don't know what the dump() is. I restarted the syslog and they rebooted the machine this morning (it's 1500 miles away...) and the messages file is working but I'm still not getting any entries in /var/log/secure, it's just a zero-length file. The syslogd.conf file looks the same as mine so I guess it's ok. Any ideas how to get secure working? One interesting note - when I restarted the syslog, the messages file immediately started growing with data from the last month, like it was backed up. I've saved that file and have found a few recurring IP addresses... ;-> Thanks for all your help, I'm on a mission now! === Subject: Re: More hacked server questions From: Jason Costomiris <jcostom@jasons.org> Date: Thu, 21 Sep 2000 07:15:23 -0400 On Wed, Sep 20, 2000 at 02:07:45PM -0500, Kerry Miller wrote: : I've been tinkering with that server a little, got the : logging working (at least partially) and have gotten a lot : of interesting IP addresses in the log. I'm tightening it : up to stop them from hacking other people's systems with : it, and I don't even begin to know where to look for any : software they may have installed yet (other than their : porn web server). Well, for starters, TAKE IT OFF THE NETWORK! Don't examine a hacked machine with it on the network. You're still giving them a jump-off point. Most likely the machine was rootkitted, and unless you've "de-kitted" it, which is certainly not an exact science, you are most likely still able to be connected to. If you must have the machine networked, do it on a private, firewalled LAN. : I restarted the syslog and they rebooted the machine this : morning (it's 1500 miles away...) and the messages file is : working but I'm still not getting any entries in : /var/log/secure, it's just a zero-length file. The : syslogd.conf file looks the same as mine so I guess it's : ok. Any ideas how to get secure working? They replaced your syslogd with a trojaned one that doesn't log anything. === Subject: RE: More hacked server questions From: Kerry Miller <kerry.miller@duralinetx.com> Date: Fri, 22 Sep 2000 09:13:13 -0500 Jamin Collins <JaminC@adapt-tele.com> wrote: > If I remember correctly, he's intentionally leaving the box > connected as he is looking for more information on the > people that did it. Jamin, you're right. I've made some changes to the machine (fixed the hosts.allow and hosts.deny and a few other things), changed some passwords, and it seems to have prevented them from hacking anybody else with it, at least for now. Yeah, I've already told them they're going to have to re-install everything to make sure it's clean, but I've gotten the log working and got a pretty fair collection of IP addresses, along with a few repetitive ones. I'm sort of on a mission now... So, here's another question - if I come up with a couple of IP addresses that look to be good (like not spoofed and possibly the original hackers), what do I do with them? The server is in Miami, should I give them to the Miami FBI office? Just ignore it and chalk it up to their bad setup? What do you guys think? === Subject: RE: More hacked server questions From: "Burke, Thomas G." <thomas_g_burke@md.northgrum.com> Date: Fri, 22 Sep 2000 11:06:16 -0400 I got hacked & was used in DDOS attacks on yahoo, AOL, etc, back when that all was real big in the news... I offered my logs to the FBI, & they didn't take me up on it, so I guess it's not a real high priority for them, regardless of what you hear about it... === Subject: RE: More hacked server questions From: Jamin Collins <JaminC@adapt-tele.com> Date: Fri, 22 Sep 2000 12:31:15 -0500 First place to start would be with the ISP's that are responsible for those IP's. I wouldn't bet on a lot of cooperation though. == Subject: RE: More hacked server questions From: "John D. Hardin" <jhardin@wolfenet.com> Date: Sat, 23 Sep 2000 09:31:01 -0700 (PDT) On Fri, 22 Sep 2000, Jamin Collins wrote: > First place to start would be with the ISP's that are responsible > for those IP's. I wouldn't bet on a lot of cooperation though. Nonsense. I've always had good results notifying the ISP. Offer your logs to them should they want to prosecute, and if you want to pursue prosecution yourself please ask them to retain copies of *their* logs. ===