[clug] Need opinions about actions of an intruder...

Kim Holburn kim.holburn at nicta.com.au
Thu Aug 10 10:55:19 GMT 2006


On 2006 Aug 10, at 8:11 PM, Steve Walsh wrote:

> It looks like he's taking a very convoluted and round about way to  
> get someone's email address, but I'd be more worried about someone  
> who can remember how to compromise a RH9 box.

It's just a script.  They identify the OS (not too hard these days  
from IP response times and TCP serial characteristics) and choose a  
script to 0wn it.  It's a pain the way commercial distros stop being  
patched after a certain amount of time (or when your sub runs out).

> Nedim Hadzimahmutovic wrote:
>> Hi,
>> at work an old RH 9 box, which was 'maintained' by a coworker, was
>> hacked. While I was debugging asterisk on that box, I noticed a
>> strange process. Later I examined /var/log/messages and noticed
>> someone logged as user 'news' with uid 0. We did a backup of files,
>> and also a compete reinstall of the box (FC4). The strange process  
>> was
>> this one:
>> root      7664  0.3  0.1  2024  884 ?        S    13:35   0:00 sh -c
>> lynx -dump "http://cgi.ebay.com/ws/eBayISAPI.dll? 
>> ViewItem&item=130008016306"

It's a knife.  Whatever, it's something dodgy on eBay.  Doing  
something without showing his original IP.  Did you get any logs of  
the attacking IP?  You could let eBay know or AUSCERT.

>> | grep @ >>
>> root      7665  1.6  0.2  4960 2280 ?        S    13:35   0:00 lynx
>> -dump http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=130008016306
>> What do you think the intruder was doing?
> -- 
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

-- 
Kim Holburn
Security Manager, National ICT Australia Ltd.
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
mailto:kim.holburn at nicta.com.au  aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961





More information about the linux mailing list