Re: Got Cracked?

Sun, 11 Feb 2001 12:17:44 -0800 

Tom,

I'm sorry to see that you got cracked, but I wanted to thank you for
posting it. I think that it makes for a good study to see this sort of
thing in practical terms. I'd also like to suggest that you might want
to submit this to GIAC (SANS Global Incident Analysis Center
http://www.sans.org/giac.htm ) so that other people can learn from it as
well. Oh, BTW, turn off rpc.statd already, would ya??? ;-)

Kenny 

Tom Rauschenbach wrote:
> 
> 
> 
> Well folks if you've ever wondered what might happen if you go online before 
>securing a
> new installation check this out from my /var/logs/messages...
> My comments start with /*
> 
> I've wrapped the long lines from the log
> /* First a buffer overflow exploit.
> Feb 10 20:07:10 localhost rpc.statd[273]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Y÷ ÿ ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8049710
> 8052c28687465676274736f6d616e79726 520 bffff718 bffff719  bffff71a
> 
> /* Then he creates new user...
> Feb 10 20:07:59 localhost adduser[5153]: new user:
> name=cgi, uid=0, gid=0, home =/home/cgi, shell=/bin/bash
> 
> /* changes the passwd like a good boy...
> Feb 10 20:08:18 localhost PAM_pwdb[5154]: password for (cgi/0) changed by
>   Feb 10 20:08:18 localhost PAM_pwdb[5154]: password for (cgi/0) changed by
> ((null)/0)
> 
> /* gives himself a second way in
> Feb 10 20:08:49 localhost PAM_pwdb[5155]: password for (operator/11) changed by
> ((null)/0)
> 
> /* I pull the plug
> Feb 10 20:09:42 localhost pppd[2439]: Terminating on signal 15.
> Feb 10 20:20:00 localhost kernel: PPP: ppp line discipline successfully unregistered
> 
> 
> 
> So the moral is, you ain't done installing just because it works.
> 
> Time to wipe this puppy and start over...
> 
> --
> There's no such thing as a "pretty good" alligator wrestler.
> [EMAIL PROTECTED]                 Tom Rauschenbach
> 
> 
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************

**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************

Reply via email to