Re: [SLUG] OK it's my faul - Help I've been hacked

• Next message: Mikes work account: "RE: [SLUG] Sarasota meeting"
• Previous message: Joseph Pearce: "Re: [SLUG] Curious"
• Maybe in reply to: Mike Manchester: "[SLUG] OK it's my faul - Help I've been hacked"
• Next in thread: Toby FreakSoft: "[SLUG] O'Reilly Discount"
• Reply: Toby FreakSoft: "[SLUG] O'Reilly Discount"
• Reply: yahoo mail: "Re: [SLUG] OK it's my faul - Help I've been hacked"
• Reply: Mike Manchester: "Re: [SLUG] OK it's my faul - Help I've been hacked"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Maybe when you were hacked it added another daemon to run on another port other than ftp. Use a port scanner like nmap to check for any other ports being open. Once you see something odd you may be able to use telnet to check out what it responds with.

nmap -p 1-65535 localhost
nmap -sU -p 1-65535 localhost
telnet localhost port

>>> mchester@yahoo.com 08/27/01 03:49PM >>>
OK it's my fault. I was playing around with anonymous ftp and forgot to kill ftp when I
was done. This morning I noticed I had a lot of activity on my hub and My son was at work.
So I knew it was him. So looking at my logs I found this.
Sun Aug 26 22:10:42 2001 201 acaen-101-1-3-7.abo.wanadoo.fr 3223552
/data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD1/le_pacte_des_loup_part1_(divx4.0_2_pass__AC3).00.r41
b _ i g ftp ftp 0 * c

So I promptly stopped ftp and removed the abover dir. Note it wouldn't let me remove COM1_
dir so I deleted the whole tree /data/anonymous.

Now my question is since ftp is no longer running and I've removed the anonymous dir why
does my log now showed this? The time is at least 2 hours after I shut off the anonymous
access.
Mon Aug 27 12:10:15 2001 56 acaen-101-1-3-7.abo.wanadoo.fr 906840
/data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD2/le_pacte_des_loup_part2_(divx4.0_2_pass__AC3).00.r00
b _ i g ftp ftp 0 * c

How can they still be xfering files that no longer exist on my system? Well at least they
aren't in the /data/anonymous dir tree.

If I try to ftp to my machine using anonymous I receive this message. 530 Can't set guest
privileges.
Login failed. Which I would expect as I removed the anonymous ftp userid. So how can
these script kiddies still be getting in?

And whats a good program to use to find this kind of stuff? I'm not sure how long this
would have went on if I hadn't noticed my hub lites working so hard.

Thanks
Mike M.

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

• Next message: Mikes work account: "RE: [SLUG] Sarasota meeting"
• Previous message: Joseph Pearce: "Re: [SLUG] Curious"
• Maybe in reply to: Mike Manchester: "[SLUG] OK it's my faul - Help I've been hacked"
• Next in thread: Toby FreakSoft: "[SLUG] O'Reilly Discount"
• Reply: Toby FreakSoft: "[SLUG] O'Reilly Discount"
• Reply: yahoo mail: "Re: [SLUG] OK it's my faul - Help I've been hacked"
• Reply: Mike Manchester: "Re: [SLUG] OK it's my faul - Help I've been hacked"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:08:44 EDT