Sigh. It all started innocently enough.

I logged in as root to my npservers server to clear out the mail log (you'd be surprised how much spam uses as a return address ... those bastards) when I noticed that someone from had logged into my server. At first I thought it ahd been UNLV, which might be borst (he's on the west coast right now), but it wasn't him.

As it turned out after checking bash_history and /var/log/secure ... some asshole had somehow gotten a hold of my root password and had rooted my box. Even worse, he or she had installed a goddamn rootkit on the server.

A rootkit allows someone backdoor access to any server regardless of whether or not i change the password. furthermore, the rootkit sniffs the system, meaning every command I typed was being logged so the cracker could find out even more passwords (bad).

Well, with Borst's help, we were able to disable the rootkit (SuckIT was the name of the rootkit), change the password, make sure none of the essential libraries had been corrupted. I installed chrootkit (which checks for rootkits, similar to a virus scanner) and ran it on the system.

Hopefully the server is OK now ... but man it was a scare. I'm lucky I caught the bastard before he could do serious damage to the server; that would of not been good at all.

Oh yeah, the IP address turned out to be a cracked system at the University of Nebraska at Lincoln. Apparently they've had a few systems compromised ... sigh.

I hate crackers.
Posted by roy on August 4, 2003 at 02:43 PM | 6 Comments

Related Entries

Want to comment with Tabulas?. Please login.

Comment posted on August 5th, 2003 at 02:34 AM
damn glad everything is ok. everyhting IS ok right?
Comment posted on August 5th, 2003 at 01:10 AM
At least you caught the bastard before he could cause you more trouble. Pity you can't trace him back and then "deal" with him using your Azian mafia connections.
Comment posted on August 4th, 2003 at 09:55 PM
ah, now i can die in peace. my lifes work is complete.
Comment posted on August 4th, 2003 at 07:12 PM
when you say crackers, you are talking about honkies right?
Comment posted on August 4th, 2003 at 05:13 PM
i am scared to death of them...
Comment posted on August 4th, 2003 at 03:07 PM
racist pig