well ive had a few machines hacked in the near past, and ive even got
a 30 page log file of what the little F _ _ _er did and what he was
doing , i would have loved to have had the chance to monitor the
traffic but Vitts networks cut the connection before i could use a
traffic
sniffer. but of well maybe next time .... Rob F.
PS. id love to pool info like this to setup Traps for little Sh_ _
Heads like this ...
----- Original Message -----
From: Thomas Charron <[EMAIL PROTECTED]>
To: Greater NH Linux User Group <[EMAIL PROTECTED]>
Sent: Tuesday, September 19, 2000 6:53 PM
Subject: Hacked. Reporting?
> I have an interesting question for everyone. As of friday, my
machine was
> hacked. Not a problem, I caught it fairly easily. I did do
something that
> most people probrably do *NOT* do. I fixed the prob that allowed
him to get
> in, but I'm continuing to allow him to run rampent in the account he
isn't
> aware that I know exists. His app that is giving him access is
currently
> running it's merry little but off..
>
> Basically, he's running a distributed attack daemon, being
controlled via an
> eggdrop bot, connected to IRC. In the process of looking at the
logs, etc, I
> now have a fairly *VAST* amount of knowledge regarding this little
bugger,
> along with other sites he's hacked from, who have the same hole in
them. The
> question is..
>
> What can I *DO* with all this data? I've now started to monitor
the output
> logs from the stupid eggdrop hack, currently running as 'netserver',
which is,
> or course, currently connected to EFNet. I have tcpsnoop logging
all of the
> data coming into that application. Technically, right now I could
hijack this
> twinks network, becouse he's ordering it by using public chat
commands. I've
> seen them come. He occasionally ftp's into the box to check to
ensure the
> account is still valid. I'm looking at this $%@#^&$%@&@$%*&.
>
> Now I know, leaving my box open is dangerouse. But I can wipe
this box
> without much of an effort. I won't lose anything.
>
> But damned it, I want this little &$*%#^&#%&&#%^*#%^()&(%^.
>
> Any suggestions? He currently has hacked at least 24 other
machines, running
> simular apps, running on the same server. He's using a package
available at
> http://www.punk.uk.net/botpack1.3.tgz, which looks like a standard
IRC bot hack
> setup. I intend on informing the other machine administrators that
he's
> broken, but for now, I'm logging it with all my might.
>
> Frusteratingly yours..
>
> One *VERY PO'd* individual..
>
>
> ---
> Thomas Charron
> << Wanted: One decent sig >>
> << Preferably litle used >>
> << and stored in garage. ?>>
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
