RE: [SLUG] OK it's my faul - Help I've been hacked

From: Grantham, Patrick (Patrick.Grantham@vacationclub.com)
Date: Tue Aug 28 2001 - 08:44:53 EDT

I also suggest buying the Linksys router ($99). It is also a firewall and
by default, blocks all incoming port traffic, allows outgoing traffic so the
impact and setup is very simple. IT also has logging, so you can get some
info about both incoming and outgoing traffic. A truly great tool

Patrick

PS
I don't work for Linksys. I am sure the netgear is a good too. It just
costs a little more.

-----Original Message-----
From: Brett Simpson [mailto:Simpsonb@hillsboroughcounty.org]
Sent: Monday, August 27, 2001 4:42 PM
To: slug@nks.net; mchester@yahoo.com
Subject: Re: [SLUG] OK it's my faul - Help I've been hacked

Maybe when you were hacked it added another daemon to run on another port
other than ftp. Use a port scanner like nmap to check for any other ports
being open. Once you see something odd you may be able to use telnet to
check out what it responds with.

nmap -p 1-65535 localhost
nmap -sU -p 1-65535 localhost
telnet localhost port

>>> mchester@yahoo.com 08/27/01 03:49PM >>>
OK it's my fault. I was playing around with anonymous ftp and forgot to kill
ftp when I
was done. This morning I noticed I had a lot of activity on my hub and My
son was at work.
So I knew it was him. So looking at my logs I found this.
Sun Aug 26 22:10:42 2001 201 acaen-101-1-3-7.abo.wanadoo.fr 3223552
/data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD1/
le_pacte_des_loup_part1_(divx4.0_2_pass__AC3).00.r41
b _ i g ftp ftp 0 * c

So I promptly stopped ftp and removed the abover dir. Note it wouldn't let
me remove COM1_
dir so I deleted the whole tree /data/anonymous.

Now my question is since ftp is no longer running and I've removed the
anonymous dir why
does my log now showed this? The time is at least 2 hours after I shut off
the anonymous
access.
Mon Aug 27 12:10:15 2001 56 acaen-101-1-3-7.abo.wanadoo.fr 906840
/data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD2/
le_pacte_des_loup_part2_(divx4.0_2_pass__AC3).00.r00
b _ i g ftp ftp 0 * c

How can they still be xfering files that no longer exist on my system? Well
at least they
aren't in the /data/anonymous dir tree.

If I try to ftp to my machine using anonymous I receive this message. 530
Can't set guest
privileges.
Login failed. Which I would expect as I removed the anonymous ftp userid.
So how can
these script kiddies still be getting in?

And whats a good program to use to find this kind of stuff? I'm not sure
how long this
would have went on if I hadn't noticed my hub lites working so hard.

Thanks
Mike M.

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:27 EDT