[plug] Tonights meeting

Peter Wright pete at akira.apana.org.au
Mon Jun 24 10:50:11 WST 2002 

On Mon, Jun 24, 2002 at 10:08:38AM +0800, Anthony J. Breeds-Taurima wrote:
> Hello All,

Hi Tony,

> Just a gentle reminder about tonight's meeting at UCC.  It is a normal
> troubleshooting meeting.  If you're going to be brining along a PC
> then bringing all the hardware will make fixing problems easier, and
> you won't also need to queue for one of the two 14" SVGA monitors
> avilable.

Well, would anyone with some network security knowledge be interested in
having a look at a cracked machine? :-)

Yes, I must shamefully admit, some brainless dickhead with a rootkit
rooted my dialup gateway machine (a 486 running Debian) over the
weekend - as far as I can tell, looks like it started Friday evening
around 8pm.

"Brainless dickhead?" I hear you say (with a grin on your face). "Well,
what does that make you, Pete, considering this brainless dickhead
rooted your machine?"

Well, in a word, it makes me careless. Said machine had been up quite
happily for just over a year when its run was finally ended by a
ten-second brownout about a week ago. I very very carelessly let it
reboot and reconnect to the net without remembering that a bunch of
default services were starting up exposed to the outer world.

Apparently, one of those services (I'm not sure which one yet) was
exploitable. Some script kiddie with a portscanner spotted it and
toasted me.

D'oh.

> Hope to see many machines laveing with problems resolved.
> 
> Yours Tony

Pete, who has replaced that now-shut-down-and-offline machine with an
OpenBSD machine - and is eating liberal chunks of humble pie :).


PS. In case you're wondering exactly why I thought the script kiddie in
question was so brainless, it's because his tracks were - well - not
exactly subtle. A collection of system utilities (find, ifconfig,
netstat, ps, login) very obviously replaced (owned by the nonexistent
user.group 500.500 instead of root.root), the root password changed...
and, well, a bunch of other things. I managed to grab a couple of IP
addresses he was connecting from, as well - though odds are they're
just other cracked machines in his stable. I suspect he was either
(a) stupid, (b) lazy, (c) didn't really care if he was spotted, or
(d) all of the above.
-- 
http://akira.apana.org.au/~pete/
Klingon programmer sayings:
2. "You question the worthiness of my code? I will kill you where
you stand!"

More information about the plug mailing list