August 4, 2003
i've been pwned
Sigh. It all started innocently enough.
I logged in as root to my npservers server to clear out the mail log (you'd be surprised how much spam uses @neopages.com as a return address ... those bastards) when I noticed that someone from UNL.edu had logged into my server. At first I thought it ahd been UNLV, which might be borst (he's on the west coast right now), but it wasn't him.
As it turned out after checking bash_history and /var/log/secure ... some asshole had somehow gotten a hold of my root password and had rooted my box. Even worse, he or she had installed a goddamn rootkit on the server.
A rootkit allows someone backdoor access to any server regardless of whether or not i change the password. furthermore, the rootkit sniffs the system, meaning every command I typed was being logged so the cracker could find out even more passwords (bad).
Well, with Borst's help, we were able to disable the rootkit (SuckIT was the name of the rootkit), change the password, make sure none of the essential libraries had been corrupted. I installed chrootkit (which checks for rootkits, similar to a virus scanner) and ran it on the system.
Hopefully the server is OK now ... but man it was a scare. I'm lucky I caught the bastard before he could do serious damage to the server; that would of not been good at all.
Oh yeah, the UNL.edu IP address turned out to be a cracked system at the University of Nebraska at Lincoln. Apparently they've had a few systems compromised ... sigh.
I hate crackers.
I logged in as root to my npservers server to clear out the mail log (you'd be surprised how much spam uses @neopages.com as a return address ... those bastards) when I noticed that someone from UNL.edu had logged into my server. At first I thought it ahd been UNLV, which might be borst (he's on the west coast right now), but it wasn't him.
As it turned out after checking bash_history and /var/log/secure ... some asshole had somehow gotten a hold of my root password and had rooted my box. Even worse, he or she had installed a goddamn rootkit on the server.
A rootkit allows someone backdoor access to any server regardless of whether or not i change the password. furthermore, the rootkit sniffs the system, meaning every command I typed was being logged so the cracker could find out even more passwords (bad).
Well, with Borst's help, we were able to disable the rootkit (SuckIT was the name of the rootkit), change the password, make sure none of the essential libraries had been corrupted. I installed chrootkit (which checks for rootkits, similar to a virus scanner) and ran it on the system.
Hopefully the server is OK now ... but man it was a scare. I'm lucky I caught the bastard before he could do serious damage to the server; that would of not been good at all.
Oh yeah, the UNL.edu IP address turned out to be a cracked system at the University of Nebraska at Lincoln. Apparently they've had a few systems compromised ... sigh.
I hate crackers.
Posted by roy on August 4, 2003 at 02:43 PM | 6 Comments
Comment with Facebook
Want to comment with Tabulas?. Please login.
KLS
SuperSunJ
sj
yuhoo7
pisces3jen
Allen