Well, it seems apparent that this _is_ a virus, despite the negative
results given by some of the virus checkers. Looks like a dos/windows
specific virus and someone suggested that as "linux hams," we ought to
be immune. That may be true, but I would advise against our being too
complacent.
I'd like to take this opportunity to mention that a little over a
month ago, two of my linux hosts were broken into and bogus binaries
were placed on the systems. I haven't figured out exactly how; the
attacker took time to erase that day's entries from the system log
files. I was able, however, to come up with the following wtmp entry
from one of my hosts:
pool029- max10.ds Wed Dec 31 19:00 still logged in
In this example, the wtmp file was obviously corrupted; the first
two fields should contain login name and remote hostname, but
instead, contain the hostname split over two fields. Also, the date
is wrong - all this occured prior to Dec 31. And, the user was not
"still logged in." However, this makes sense when you consider that
"wtmp" is not a text file, but a structure (defined in utmp.h). If
the file was corrupted (in an attempt to edit it), you would expect to
see bits of text showing up in the wrong places, and wrong values in
fields that are forced to a date format.
The other host's wtmp file seemed ok and yielded the following:
# last -5 -f wtmp.bak
shutdown ~ Tue Dec 15 17:45
moof ttyp0 pool029-max10.ds Sun Dec 13 21:09 - 21:15 (00:06)
moof ttyp0 pool029-max10.ds Sun Dec 13 21:08 - 21:08 (00:00)
billp ttyp0 bill.n2zly.ampr. Fri Dec 4 08:22 - 08:28 (00:05)
billp ttyp0 bill.n2zly.ampr. Tue Dec 1 23:40 - 00:12 (00:31)
The one thing these two listings have in common is "pool029-max10.ds"
which I presume is "pool029-max10.ds6-ca-us.dialup.earthlink.net"
truncated to fit the wtmp format. I have no idea who "moof" is. He
is definitely not one of our users and is not in the passwd file.
My guess is that he was able to substitute his own copy of the
password file containing user "moof" with uid=0 (maybe by exploiting a
bug in nfs - one of the few services that I hadn't turned off). He
was then able to log in and do his mischief; he placed bogus copies of
"passwd," "chfn," "login," and a few other binaries in one of the bin
directories. He then restored the original password file and left.
He apparently screwed up this last step, however, as I was unable to
log in (a good clue that something was amiss) and had to boot up on a
floppy.
I have other linux hosts here that were not touched - the one thing
these two had in common is that they both had ampr addresses. So,
maybe this guy is targeting "linux-ham" sites (maybe he's one of us.
Seen any posts from earthlink lately?), or maybe it was coincidental.
Guess this is a word to the wise.
I also sent a word to the [EMAIL PROTECTED], but have gotten no
reply. Ziltch. I wrote again when someone named "root" tried to
pay me a visit:
Jan 3 15:26:53 worm in.telnetd[13096]: connect from [EMAIL PROTECTED]
Jan 3 15:27:17 worm in.rshd[13098]: connect from [EMAIL PROTECTED]
Looks like he tried to log in via telnet, failed, and immediately
tried to invoke a remote shell. It must've been someone who thought
he had a login on my machine. And where is 209.178.6.37? Close enuf.
It resolves to pool037-max9.ds9-ca-us.dialup.earthlink.net!
I provided all the details, including date and time of the intrusions
(plus corrected time - my system clock was off a bit), hoping that
the folks at earthlink could identify the culprit, but they haven't
bothered to reply. Of course, moof might not be an earthlink
subscriber at all. Likely he's an intruder there too, but that should
make them all the more concerned.
Of the two hosts, by the way, one is still offline and the other is now
behind a firewall (sorry moof).
I guess like hams that (until recently) have had to do their own police
work, we'll have to catch "moof" and the Happy99 guy on our own.
Anyone out there have a similar experience?
-Bill Plunkett
n2zly/k2cc
