Re: Was I hacked?

Subject: Re: Was I hacked?
From: Kelsey Damas (anagram@prtr-13.ucsc.edu)
Date: Thu Aug 17 2000 - 12:01:49 MDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Martin McWhorter: "Re: Was I hacked?"
• Previous message: Israel Alvarez: "Was I hacked?"
• In reply to: Israel Alvarez: "Was I hacked?"
• Next in thread: Martin McWhorter: "Re: Was I hacked?"
• Reply: Kelsey Damas: "Re: Was I hacked?"

From the keys of Israel Alvarez:
>
> When I telnetted into my YDL server this morning, I was greeted by this:
>
> "Last login: Wed Aug 16 11:31:58 from
> ip-64-63-37-99.reverse.mobilenetics.com"
>
> no one but me should be accessing this machine, and I don't recognize the
> domain or the ip (I assume it is 64.63.67.99).

Was this a user account, or root? If the latter, then I would be very
concerned. you *really* shouldn't be telnetting in as root (SSH or SRP
telnet, at least).

> I did a find / -mtime 1 to find files modified in the last day, and saw
> nothing suspicious, but I don't know if there's a way of spoofing that. Any
> suggestions? Should I take my server down for a few days? Is there some
> software I can install to block/track possible attacks? Or is this even
> really a cracker?

file access times can be modified with the 'touch' command. I wouldn't trust
them if I were you.

> I don't want my machine to wind up being part of someone's DDOS attack.

Naturally. In the future, you should really place some access control on your
services. You said that "no one but me should be accessing the machine" so
you should certainly use ipchains or TCP Wrappers to block access to all IPs
but the machines that you might be coming from.

for more info on ipchains vs TCP Wrappers, check out this discussion that
happened on openbsd.misc (massive URL, sorry. should be a single line)

http://x57.deja.com/[ST_rn=ps]/viewthread.xp?AN=608918378&search=thread&svcclass=dnyr&ST=PS&CONTEXT=966534503.1175715884&HIT_CONTEXT=966534480.1175846942&HIT_NUM=15&REDO=1&recnum=%3c200004081918.NAA18219@cvs.openbsd.org%3e%231/1&group=openbsd.misc&frpage=viewthread.xp&back=clarinet

If you find that someone actually broke root on your machine, I'm afraid the
best thing to do is re-install from trusted media (CD-ROM). It's just too
easy to setup a rootkit full of backdoors.

-- 
.....................................k.e.l.s.e.y...d.a.m.a.s......
--------------------------------------anagram@cats.ucsc.edu-------
-http://www.porter.ucsc.edu/~anagram/    ---------------
.......... recently updated .......................................

• Next message: Martin McWhorter: "Re: Was I hacked?"
• Previous message: Israel Alvarez: "Was I hacked?"
• In reply to: Israel Alvarez: "Was I hacked?"
• Next in thread: Martin McWhorter: "Re: Was I hacked?"
• Reply: Kelsey Damas: "Re: Was I hacked?"

This archive was generated by hypermail 2a24 : Thu Aug 17 2000 - 12:01:13 MDT