Gentoo linux you decide (revision 2)

On Mon, 03 Nov 2003 10:34:41 -0800, a-wall wrote:

> Hi, I have been in the business of administration for unix and Linux for
> almost ten years now.
> My laptop was hacked and in such a way that aide a free version of
> tripwire was bypassed by a lib which was ld preloaded effecting the file
> system. I was testing WIFI and my Iptables firewall was messed up for a
> day.
>
> I believe the attack originated from a #gentoo-sparc channel but I nuked
> all my logs in a hurry to get the system back up.
>
> I did a lsattr and /bin/ps /bin/netstat among other binaries had been
> changed to Immutable and md5sums didn't match the ones on record.
>
> I have most of the hacked system on my nfs server and am bringing it
> backup to watch traffic.
>
> the trojan was sending data to ip address 224.0.0.251 on port 5353
> I cannot find who owns this IP address and it could be a decoy.
>
> I replaced these to attempt to track down the hackers and the lib
> dissapeared but i still have hacked bonaries /bin/login etc on tape.
>
> I should have just left it alone so i didnt inadvertantly destroy
> evidence.
>
> When I asked for help from the second in command at Gentoo Linux I
> received none and the following is what i have so far.
>
> I and my legal aide came in as botched and themp/th3mp in this
> conversation.
> with seemant the second in command at gentoo.

Uh, after 10 years administering Unix and Linux, you should surely be
aware that the IP you mentioned is a multicast address.

--
Sponge
Sponge's Secure Solutions
www.geocities.com/yosponge
My new email: yosponge2 att yahoo dott com

Sponge

Hi, I have been in the business of administration for unix and Linux for
almost ten years now.
My laptop was hacked and in such a way that aide a free version of
tripwire was bypassed by a lib which was ld preloaded effecting the file
system. I was testing WIFI and my Iptables firewall was messed up for a
day.

I believe the attack originated from a #gentoo-sparc channel but I nuked
all my logs in a hurry to get the system back up.

I did a lsattr and /bin/ps /bin/netstat among other binaries had been
changed to Immutable and md5sums didn't match the ones on record.

I have most of the hacked system on my nfs server and am bringing it
backup to watch traffic.

the trojan was sending data to ip address 224.0.0.251 on port 5353
I cannot find who owns this IP address and it could be a decoy.

I replaced these to attempt to track down the hackers and the lib
dissapeared but i still have hacked bonaries /bin/login etc on tape.

I should have just left it alone so i didnt inadvertantly destroy
evidence.

When I asked for help from the second in command at Gentoo Linux I
received none and the following is what i have so far.

I and my legal aide came in as botched and themp/th3mp in this
conversation.
with seemant the second in command at gentoo.
>
> seemant is
>
> as follows
>
> Nov 01 13:00:33 <botched> if i ask politely for logs concerning
> conversations with themp from oct-12th through the 29th will gentoo be
> so kind as to supply them ? also, i just need them for this channel.
> Nov 01 13:01:24 <wesolows> botched: It seems Gentoo can't; if you trust
> me, you can have mine, but they're not "official"
> Nov 01 13:02:58 <botched> i would like yours even if not official. if
> indeed the extent of damage is as is vast as we can tell so far a
> subpoena will have to be issued.
> Nov 01 13:03:23 <wesolows> oh dear
> Nov 01 13:03:42 <botched> yes ,this is a very serious issue
> Nov 01 13:03:58 <botched> it is already cost much money
> Nov 01 13:04:01 <wesolows> sorry, I don't want any involvement then
> Nov 01 13:04:15 <wesolows> even as an unofficial helpful provider of
> personal logs
> Nov 01 13:04:20 <botched> wesolows not even to give channel logs ?
> Nov 01 13:04:43 <wesolows> no, I'm sorry, because they could be
> incomplete, and there's no way to know if that's the case.
> Nov 01 13:05:01 <botched> I personally think compiance from gentoo
would
> be a good thing for all sides
> Nov 01 13:05:52 <botched> I cant untill i have investegated further,
and
> cannot disclose more information at this point in time.
> Nov 01 13:06:02 <seemant> botched: what damage?
> Nov 01 13:06:05 <seemant> and what issue?
> Nov 01 13:06:25 <seemant> and don't you try and threaten people about
> subpoenas and legal action
> Nov 01 13:06:34 <seemant> if there's a problem, I'm the one to talk to
> Nov 01 13:07:31 <seemant> botched: now, if you have something to say,
> talk to me, and leave everyone else in here the HELL ALONE
> Nov 01 13:07:32 <seemant> got me?
> Nov 01 13:07:49 <botched> I would like to discuss this with you but not
> on irc
> Nov 01 13:09:14 <botched> seemant, themp's system was hacked on october
> 12th attack originating from an ip which frequests this #gentoo-sparc
> irc channel
> Nov 01 13:10:21 * `Kumba avoids formulating theories and goes to fetch
> screwdriver handle
> Nov 01 13:10:34 <seemant> botched: then you can very well email me
> Nov 01 13:11:07 * xming checking his system for intruders
> Nov 01 13:11:10 <botched> excuse me frequents
> Nov 01 13:11:17 <seemant> botched: and, when you do, I want your full
> name and your full credentials that I can personally verify
> Nov 01 13:11:49 <botched> Seemant i am finished
> Nov 01 13:12:13 * bazik looks at Epidemic
> Nov 01 13:12:38 <seemant> botched: good, and I'll thank you to shut up
> in this channel with the threatening of the people, in the future
>
> and in private message with seemand second in command at gentoo.
>
> **** BEGIN LOGGING AT Sat Nov 1 14:34:14 2003
>
> Nov 01 14:34:16 <th3mp> yo
> Nov 01 14:35:29 <th3mp> why do you hve such an issue with me tracking
> down hackers do you have some kinda of policy at gentoo against this ?
> Nov 01 14:35:37 --- Received a CTCP VERSION from bazik
> Nov 01 14:36:39 >version< CTCP TH3MP
> Nov 01 14:36:48 >th3mp< CTCP VERSION
> Nov 01 14:36:48 --- Received a CTCP VERSION from th3mp
> Nov 01 14:37:21 --- Received a CTCP VERSION from botched
> [seemant has address
> ~]
> Nov 01 14:39:20 <seemant> you do what you have to do
> Nov 01 14:39:21 <seemant> but
> Nov 01 14:39:33 <seemant> you've been carrying on in completely the
> WRONG way
> Nov 01 14:39:54 <th3mp> okay then how ouwld you like me to carry on i
> cant read your mind
> Nov 01 14:39:55 <seemant> you do NOT come into the channel (a. ****ing
> pretending you're someone else) and b. threatening people with
subpoenas
> Nov 01 14:40:04 <seemant> carry on with civility
> Nov 01 14:40:09 <seemant> NOT with threats
> Nov 01 14:40:13 <th3mp> i m not doing anything or threatoning anything
> Nov 01 14:40:20 <seemant> right now, all there is is your word that you
> got hacked
> Nov 01 14:40:22 <seemant> no proof
> Nov 01 14:40:34 <seemant> and you come in here with threats about
> calling lawyers and issuing subpoenas
> Nov 01 14:40:45 <seemant> if you have intent to do that, then just
do it
> Nov 01 14:40:59 <seemant> don't come in here acting all macho and being
> an ass about it
> Nov 01 14:41:11 <th3mp> my lawyer will be online as soon as i set up
a bnc
> Nov 01 14:41:25 <th3mp> if that how you take it seemant that is your
> issue not mine
> Nov 01 14:41:31 <seemant> then let him come online
> Nov 01 14:41:33 <th3mp> i am not being macho
> Nov 01 14:41:39 <seemant> if you wish
> Nov 01 14:41:47 <seemant> I'm done with the convo
> Nov 01 14:42:07 <seemant> if your lawyer needs to contact ANYONE in the
> channel, s/he contacts me first, as I am the one in charge of the
channel
> Nov 01 14:42:15 <th3mp> okay seemant why are you so upset anyways ?
> Nov 01 14:42:18 <seemant> and like I told you before, full name and
> verifiable credentials
> Nov 01 14:42:29 <seemant> because I do not like your attitude th3mp
> Nov 01 14:42:32 <seemant> that's why
> Nov 01 14:42:38 <th3mp> seemant you dont make ecurity policies on
> freenode and you dont own gentoo
> Nov 01 14:42:48 <seemant> I own this channel
> Nov 01 14:42:52 <seemant> simple as that
> Nov 01 14:42:56 <th3mp> okay then you own this channel
> Nov 01 14:43:03 <seemant> as far as owning gentoo, I am the second in
> command at gentoo
> Nov 01 14:43:14 <th3mp> thats nice to know
> Nov 01 14:43:45 <seemant> and your box being hacked, is not a freenode
> security policy
> Nov 01 14:43:51 <seemant> it's a "your box" security policy
> Nov 01 14:44:30 <th3mp> not if you dont wish you help by giving
> information anyother distro who owns a channel would gladly give out
> Nov 01 14:44:35 <th3mp> its like you have somthing to hide
> Nov 01 14:44:46 <th3mp> at least thats how it looks to me
> Nov 01 14:44:48 <seemant> as for my developers, I will stand by them
> 100%; IF your box got hacked, it was NOT a gentoo developer or a
> representative of gentoo
> Nov 01 14:44:51 <seemant> hahaha
> Nov 01 14:44:52 <seemant> you're funny
> Nov 01 14:45:00 <th3mp> why ?
> Nov 01 14:45:05 <seemant> I'd almost say you're cute, except for the
> fact that you're annoying
> Nov 01 14:45:15 <seemant> if you want co-operation, ask for it NICELY
> Nov 01 14:45:18 <seemant> not with a threat
> Nov 01 14:45:24 <th3mp> why wouldnt you help seems like that would be
> the proper thing to do and the ethical one
> Nov 01 14:45:33 <th3mp> there was no threat
> Nov 01 14:45:34 <seemant> you never asked me for help
> Nov 01 14:45:38 <seemant> not nicely, not any other way
> Nov 01 14:45:46 <seemant> you spouted off about subpoenas straight off
> Nov 01 14:45:53 <seemant> sorry, but that doesn't seem like "asking for
> help"
> Nov 01 14:46:01 <th3mp> perhaps, i didnt have the social skils to ask
> you the way you wanted
> Nov 01 14:46:06 <seemant> anyhow, I'm done, and I'm putting you on
> /ignore now
> Nov 01 14:46:17 <th3mp> okay seemant
> **** ENDING LOGGING AT Sat Nov 1 14:52:00 2003
>
>

a-wall

a-wall <a-> wrote in
news:wexpb.169$:

> Hi, I have been in the business of administration for unix and Linux for
> almost ten years now.
> My laptop was hacked and in such a way that aide a free version of
> tripwire was bypassed by a lib which was ld preloaded effecting the file
> system. I was testing WIFI and my Iptables firewall was messed up for a
> day.


I thought Linux was completely safe. at least, that's what certain people
would have you believe.

donutbandit

* donutbandit <>:
> a-wall <a-> wrote in
> news:wexpb.169$:
>
>> Hi, I have been in the business of administration for unix and Linux for
>> almost ten years now.
>> My laptop was hacked and in such a way that aide a free version of
>> tripwire was bypassed by a lib which was ld preloaded effecting the file
>> system. I was testing WIFI and my Iptables firewall was messed up for a
>> day.
>
>
> I thought Linux was completely safe. at least, that's what certain people
> would have you believe.

Only completly safe box is the one still in the packing box and you know
it. Or maybe a standalone that's never on any network of any sort.

Jason

Jason

On 3 Nov 2003 19:12:18 GMT, donutbandit <> wrote:

>a-wall <a-> wrote in
>news:wexpb.169$:
>
>> Hi, I have been in the business of administration for unix and Linux for
>> almost ten years now.
>> My laptop was hacked and in such a way that aide a free version of
>> tripwire was bypassed by a lib which was ld preloaded effecting the file
>> system. I was testing WIFI and my Iptables firewall was messed up for a
>> day.
>
>
>I thought Linux was completely safe. at least, that's what certain people
>would have you believe.

Why would you say that?

If a computer is networked, or even if someone has physical access to
it, then it can't be truly regarded as safe.

Security isn't something that can be narrowed down to just the
Operating System.

Most Operating Systems straight out of the box aren't secure (some
more so than others).

The reality is that there are all sorts of things that must be taken
into consideration in regards to computer security, such as what
services you're running on the box, what you're users are allowed to
do, how well you keep the box patched etc etc etc.

It's also important to realise that there is a difference between an
Operating System being exploited, and, for instance, a daemon running
on top of that Operating System.

An example of this, would be say, Apache. Just because Apache has a
vulnerability and can be open to exploit, does not mean that Linux was
at fault (this is something that's often overlooked by Micro$oft
biased media reports).

And that's something a lot of people seem to forget.

Having said that, this is more true regarding *nix boxes than Windows
boxes, as Micro$oft usually develops the daemons listening on top of
the Operating System as well ie IIS.

Obviously, this isn't always the case as well, as there are third
parties that develop daemons for Windows as well.

Dazz

Dazz

On Mon, 03 Nov 2003 10:34:41 -0800, a-wall <a-> wrote:

<snipped>

>I believe the attack originated from a #gentoo-sparc channel but I nuked
>all my logs in a hurry to get the system back up.

<snipped>

> When I asked for help from the second in command at Gentoo Linux I
> received none and the following is what i have so far.

Why would you expect them to help you?

Because you believe the attack originated from a #gentoo-sparc
channel?

If that's the case, then I'm not surprised that they haven't contacted
you.

Dazz

Dazz

Sponge wrote:
> On Mon, 03 Nov 2003 10:34:41 -0800, a-wall wrote:
>
>
>>Hi, I have been in the business of administration for unix and Linux for
>>almost ten years now.
>>My laptop was hacked and in such a way that aide a free version of
>>tripwire was bypassed by a lib which was ld preloaded effecting the file
>>system. I was testing WIFI and my Iptables firewall was messed up for a
>>day.
>>
>>I believe the attack originated from a #gentoo-sparc channel but I nuked
>>all my logs in a hurry to get the system back up.
>>
>>I did a lsattr and /bin/ps /bin/netstat among other binaries had been
>>changed to Immutable and md5sums didn't match the ones on record.
>>
>>I have most of the hacked system on my nfs server and am bringing it
>>backup to watch traffic.
>>
>> the trojan was sending data to ip address 224.0.0.251 on port 5353
>> I cannot find who owns this IP address and it could be a decoy.
>>
>> I replaced these to attempt to track down the hackers and the lib
>> dissapeared but i still have hacked bonaries /bin/login etc on tape.
>>
>> I should have just left it alone so i didnt inadvertantly destroy
>>evidence.
>>
>> When I asked for help from the second in command at Gentoo Linux I
>> received none and the following is what i have so far.
>>
>>I and my legal aide came in as botched and themp/th3mp in this
>>conversation.
>>with seemant the second in command at gentoo.
>
>
> Uh, after 10 years administering Unix and Linux, you should surely be
> aware that the IP you mentioned is a multicast address.
>

Yes, I know its a multicast address I still have to troll a little for
more information. As to validity of my logs If I where whome ever was
questioning the validity of them try to get the valid logs from
gentoo-sparc.

and if you use the word Uh you must be 15 correct ?

a-wall

On Fri, 07 Nov 2003 21:48:54 -0800, a-wall <a-> wrote:

>and if you use the word Uh you must be 15 correct ?

Uh no, I don't think he is, but he knows what the
address block is.

--
Jim Watt http://www.gibnet.com

Jim Watt