Re: have I been cracked?

Micah Yoder Fri, 12 Jan 2001 23:40:34 -0800
> Actually, just download & install initscripts & the programs you need
> (syslog, sendmail, cron, etc) to get them back. Trouble, yes. But not a
> complete reinstall.

Thanks, I got it working in somewhat good shape again.

> Now, the question still remains what caused it to happen in the first
> place. If a breakin is the answer, you need a reinstall regardless as
> I'll guarantee there are other problems you haven't even located yet.

Could it have been anything OTHER than a crack?

Well I just checked out /var/log/messages from the day before the weird
stuff happened.  Should have done that earlier.  Startup in the morning
was normal, shutdown was not -- lpd, crond, etc., shutdown failed. 
During the day, this is what showed up:  (yeah, all that garbage is
really there!)  And what are all the -- MARK -- things?  The su activity
for users leroy and micah is (I think) normal.  But the connection from
zeus.kernel.org is definitely not!  Is there any way to tell from this
how they got in?

Jan  4 15:38:12 nova rpc.statd[351]: gethostbyname error for
^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8049710
8054d98687465676274736f6d616e797265206520726f7220726f66
                                                                                       
                   
bffff718
                                                                                       
         
bffff719  bffff71a
 
    
bffff71b<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>
Jan  4 15:40:24 nova syslogd 1.3-3: restart.
Jan  4 15:55:19 nova ftpd[1327]: ACCESS DENIED (not in any class) TO
202.175.50.106 [202.175.50.106]
Jan  4 15:55:19 nova ftpd[1327]: FTP LOGIN REFUSED (access denied) FROM
202.175.50.106 [202.175.50.106], ftp
Jan  4 15:55:26 nova ftpd[1327]: FTP session closed
Jan  4 16:20:24 nova -- MARK --
Jan  4 16:40:25 nova -- MARK --
Jan  4 17:00:25 nova -- MARK --
Jan  4 17:20:25 nova -- MARK --
Jan  4 17:40:25 nova -- MARK --
Jan  4 18:00:25 nova -- MARK --
Jan  4 18:20:25 nova -- MARK --
Jan  4 18:40:25 nova -- MARK --
Jan  4 19:00:25 nova -- MARK --
Jan  4 19:20:25 nova -- MARK --
Jan  4 19:40:25 nova -- MARK --
Jan  4 19:41:10 nova PAM_pwdb[1415]: (su) session opened for user leroy
by (uid=500)
Jan  4 19:41:41 nova PAM_pwdb[1469]: (login) session opened for user
micah by (uid=0)
Jan  4 20:00:25 nova -- MARK --
Jan  4 20:08:35 nova PAM_pwdb[1544]: (su) session opened for user root
by micah(uid=500)
Jan  4 20:09:40 nova PAM_pwdb[1544]: (su) session closed for user root
Jan  4 20:20:25 nova -- MARK --
Jan  4 20:40:25 nova -- MARK --
Jan  4 21:00:25 nova -- MARK --
Jan  4 21:20:25 nova -- MARK --
Jan  4 21:40:25 nova -- MARK --
Jan  4 22:00:25 nova -- MARK --
Jan  4 22:20:25 nova -- MARK --
Jan  4 22:40:25 nova -- MARK --
Jan  4 23:00:25 nova -- MARK --
Jan  4 23:20:25 nova -- MARK --
Jan  4 23:40:25 nova -- MARK --
Jan  4 23:47:39 nova oidentd[1788]: Connection from zeus.kernel.org
(209.10.41.242):2738
Jan  4 23:47:39 nova oidentd[1788]: [209.10.41.242] Successful lookup:
1690 , 21 : micah
(micah)                                                   
Jan  5 00:00:25 nova -- MARK --
Jan  5 00:20:25 nova -- MARK --
Jan  5 00:40:25 nova -- MARK --
Jan  5 01:00:25 nova -- MARK --
Jan  5 01:10:42 nova PAM_pwdb[1415]: (su) session closed for user leroy
Jan  5 01:36:22 nova PAM_pwdb[1469]: (login) session closed for user
micah
Jan  5 01:36:22 nova inetd[1289]: pid 1468: exit status
1



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: have I been cracked?

Reply via email to
