[juneau-lug] juneau-lug.org website off line temporarily

  • From: Myron Davis <myrond@xxxxxxxxx>
  • To: juneau-lug@xxxxxxxxxxxxx
  • Date: Thu, 3 Feb 2005 18:49:54 -0900

Unfortunately my box got broken into via awstats + a program called
brk2 which was executed
http://www.securityfocus.com/advisories/7920

I suppose it should have been updated.  The bad news is the backup box
recently suffered a hardware failure and was not up, and the
replacement box for the backup box just came up a day earlier.

The SuckIT root kit was installed at 12:57am Feb 2nd, it was turned
into sniffer mode and attempted to gather passwords to other machines;
 I was notified by tiger at 1:00am on Feb 2nd of the breakin as they
added/removed files from the running system.

As I feveriously backed everything up from the primary system to the
backup (I still had a offline backup) the vandals logged into the box
checked out the /usr/share/.X12-kernel/.sniffer file and saw that I
had ssh keys setup and logged into a new backup box I got and promptly
rooted that one too.  (I know because the .sniffer file was log cycled
about that time).

SuckIT modifed the syscalls of the machine and that particular version
the "u" parameter did not work.  (no uninstall procedure).

I attempted to fix it by accessing /dev/kmem and rewriting the
syscalls on the fly back to their original via a saved copy of the
System.map.  But I failed.

The box had a 400+ day uptime but no longer.

After replacing init (and the hidden copy) with a known good copy of
init and attempting to restart neither box would ever copy back and I
haven't heard from them again.  I am still working on restoring
services... and it will happen.

Cheers!

-Myron

------------------------------------
This is the Juneau-LUG mailing list.
To unsubscribe, send an e-mail to juneau-lug-request@xxxxxxxxxxxxx with the 
word unsubscribe in the subject header.

Other related posts:

  • » [juneau-lug] juneau-lug.org website off line temporarily
  1. Home
  2. juneau-lug
  3. Archive
  4. 02-2005