Gentoo linux you decide (revision 2)

Discussion in 'Computer Security' started by Sponge, Nov 3, 2003.

  1. Sponge

    Sponge Guest

    On Mon, 03 Nov 2003 10:34:41 -0800, a-wall wrote:

    > Hi, I have been in the business of administration for unix and Linux for
    > almost ten years now.
    > My laptop was hacked and in such a way that aide a free version of
    > tripwire was bypassed by a lib which was ld preloaded effecting the file
    > system. I was testing WIFI and my Iptables firewall was messed up for a
    > day.
    >
    > I believe the attack originated from a #gentoo-sparc channel but I nuked
    > all my logs in a hurry to get the system back up.
    >
    > I did a lsattr and /bin/ps /bin/netstat among other binaries had been
    > changed to Immutable and md5sums didn't match the ones on record.
    >
    > I have most of the hacked system on my nfs server and am bringing it
    > backup to watch traffic.
    >
    > the trojan was sending data to ip address 224.0.0.251 on port 5353
    > I cannot find who owns this IP address and it could be a decoy.
    >
    > I replaced these to attempt to track down the hackers and the lib
    > dissapeared but i still have hacked bonaries /bin/login etc on tape.
    >
    > I should have just left it alone so i didnt inadvertantly destroy
    > evidence.
    >
    > When I asked for help from the second in command at Gentoo Linux I
    > received none and the following is what i have so far.
    >
    > I and my legal aide came in as botched and themp/th3mp in this
    > conversation.
    > with seemant the second in command at gentoo.


    Uh, after 10 years administering Unix and Linux, you should surely be
    aware that the IP you mentioned is a multicast address.

    --
    Sponge
    Sponge's Secure Solutions
    www.geocities.com/yosponge
    My new email: yosponge2 att yahoo dott com
     
    Sponge, Nov 3, 2003
    #1
    1. Advertising

  2. Sponge

    a-wall Guest

    Hi, I have been in the business of administration for unix and Linux for
    almost ten years now.
    My laptop was hacked and in such a way that aide a free version of
    tripwire was bypassed by a lib which was ld preloaded effecting the file
    system. I was testing WIFI and my Iptables firewall was messed up for a
    day.

    I believe the attack originated from a #gentoo-sparc channel but I nuked
    all my logs in a hurry to get the system back up.

    I did a lsattr and /bin/ps /bin/netstat among other binaries had been
    changed to Immutable and md5sums didn't match the ones on record.

    I have most of the hacked system on my nfs server and am bringing it
    backup to watch traffic.

    the trojan was sending data to ip address 224.0.0.251 on port 5353
    I cannot find who owns this IP address and it could be a decoy.

    I replaced these to attempt to track down the hackers and the lib
    dissapeared but i still have hacked bonaries /bin/login etc on tape.

    I should have just left it alone so i didnt inadvertantly destroy
    evidence.

    When I asked for help from the second in command at Gentoo Linux I
    received none and the following is what i have so far.

    I and my legal aide came in as botched and themp/th3mp in this
    conversation.
    with seemant the second in command at gentoo.
    >
    > seemant is
    >
    > as follows
    >
    > Nov 01 13:00:33 <botched> if i ask politely for logs concerning
    > conversations with themp from oct-12th through the 29th will gentoo be
    > so kind as to supply them ? also, i just need them for this channel.
    > Nov 01 13:01:24 <wesolows> botched: It seems Gentoo can't; if you trust
    > me, you can have mine, but they're not "official"
    > Nov 01 13:02:58 <botched> i would like yours even if not official. if
    > indeed the extent of damage is as is vast as we can tell so far a
    > subpoena will have to be issued.
    > Nov 01 13:03:23 <wesolows> oh dear
    > Nov 01 13:03:42 <botched> yes ,this is a very serious issue
    > Nov 01 13:03:58 <botched> it is already cost much money
    > Nov 01 13:04:01 <wesolows> sorry, I don't want any involvement then
    > Nov 01 13:04:15 <wesolows> even as an unofficial helpful provider of
    > personal logs
    > Nov 01 13:04:20 <botched> wesolows not even to give channel logs ?
    > Nov 01 13:04:43 <wesolows> no, I'm sorry, because they could be
    > incomplete, and there's no way to know if that's the case.
    > Nov 01 13:05:01 <botched> I personally think compiance from gentoo

    would
    > be a good thing for all sides
    > Nov 01 13:05:52 <botched> I cant untill i have investegated further,

    and
    > cannot disclose more information at this point in time.
    > Nov 01 13:06:02 <seemant> botched: what damage?
    > Nov 01 13:06:05 <seemant> and what issue?
    > Nov 01 13:06:25 <seemant> and don't you try and threaten people about
    > subpoenas and legal action
    > Nov 01 13:06:34 <seemant> if there's a problem, I'm the one to talk to
    > Nov 01 13:07:31 <seemant> botched: now, if you have something to say,
    > talk to me, and leave everyone else in here the HELL ALONE
    > Nov 01 13:07:32 <seemant> got me?
    > Nov 01 13:07:49 <botched> I would like to discuss this with you but not
    > on irc
    > Nov 01 13:09:14 <botched> seemant, themp's system was hacked on october
    > 12th attack originating from an ip which frequests this #gentoo-sparc
    > irc channel
    > Nov 01 13:10:21 * `Kumba avoids formulating theories and goes to fetch
    > screwdriver handle
    > Nov 01 13:10:34 <seemant> botched: then you can very well email me
    > Nov 01 13:11:07 * xming checking his system for intruders
    > Nov 01 13:11:10 <botched> excuse me frequents
    > Nov 01 13:11:17 <seemant> botched: and, when you do, I want your full
    > name and your full credentials that I can personally verify
    > Nov 01 13:11:49 <botched> Seemant i am finished
    > Nov 01 13:12:13 * bazik looks at Epidemic
    > Nov 01 13:12:38 <seemant> botched: good, and I'll thank you to shut up
    > in this channel with the threatening of the people, in the future
    >
    > and in private message with seemand second in command at gentoo.
    >
    > **** BEGIN LOGGING AT Sat Nov 1 14:34:14 2003
    >
    > Nov 01 14:34:16 <th3mp> yo
    > Nov 01 14:35:29 <th3mp> why do you hve such an issue with me tracking
    > down hackers do you have some kinda of policy at gentoo against this ?
    > Nov 01 14:35:37 --- Received a CTCP VERSION from bazik
    > Nov 01 14:36:39 >version< CTCP TH3MP
    > Nov 01 14:36:48 >th3mp< CTCP VERSION
    > Nov 01 14:36:48 --- Received a CTCP VERSION from th3mp
    > Nov 01 14:37:21 --- Received a CTCP VERSION from botched
    > [seemant has address
    > ~]
    > Nov 01 14:39:20 <seemant> you do what you have to do
    > Nov 01 14:39:21 <seemant> but
    > Nov 01 14:39:33 <seemant> you've been carrying on in completely the
    > WRONG way
    > Nov 01 14:39:54 <th3mp> okay then how ouwld you like me to carry on i
    > cant read your mind
    > Nov 01 14:39:55 <seemant> you do NOT come into the channel (a. fucking
    > pretending you're someone else) and b. threatening people with

    subpoenas
    > Nov 01 14:40:04 <seemant> carry on with civility
    > Nov 01 14:40:09 <seemant> NOT with threats
    > Nov 01 14:40:13 <th3mp> i m not doing anything or threatoning anything
    > Nov 01 14:40:20 <seemant> right now, all there is is your word that you
    > got hacked
    > Nov 01 14:40:22 <seemant> no proof
    > Nov 01 14:40:34 <seemant> and you come in here with threats about
    > calling lawyers and issuing subpoenas
    > Nov 01 14:40:45 <seemant> if you have intent to do that, then just

    do it
    > Nov 01 14:40:59 <seemant> don't come in here acting all macho and being
    > an ass about it
    > Nov 01 14:41:11 <th3mp> my lawyer will be online as soon as i set up

    a bnc
    > Nov 01 14:41:25 <th3mp> if that how you take it seemant that is your
    > issue not mine
    > Nov 01 14:41:31 <seemant> then let him come online
    > Nov 01 14:41:33 <th3mp> i am not being macho
    > Nov 01 14:41:39 <seemant> if you wish
    > Nov 01 14:41:47 <seemant> I'm done with the convo
    > Nov 01 14:42:07 <seemant> if your lawyer needs to contact ANYONE in the
    > channel, s/he contacts me first, as I am the one in charge of the

    channel
    > Nov 01 14:42:15 <th3mp> okay seemant why are you so upset anyways ?
    > Nov 01 14:42:18 <seemant> and like I told you before, full name and
    > verifiable credentials
    > Nov 01 14:42:29 <seemant> because I do not like your attitude th3mp
    > Nov 01 14:42:32 <seemant> that's why
    > Nov 01 14:42:38 <th3mp> seemant you dont make ecurity policies on
    > freenode and you dont own gentoo
    > Nov 01 14:42:48 <seemant> I own this channel
    > Nov 01 14:42:52 <seemant> simple as that
    > Nov 01 14:42:56 <th3mp> okay then you own this channel
    > Nov 01 14:43:03 <seemant> as far as owning gentoo, I am the second in
    > command at gentoo
    > Nov 01 14:43:14 <th3mp> thats nice to know
    > Nov 01 14:43:45 <seemant> and your box being hacked, is not a freenode
    > security policy
    > Nov 01 14:43:51 <seemant> it's a "your box" security policy
    > Nov 01 14:44:30 <th3mp> not if you dont wish you help by giving
    > information anyother distro who owns a channel would gladly give out
    > Nov 01 14:44:35 <th3mp> its like you have somthing to hide
    > Nov 01 14:44:46 <th3mp> at least thats how it looks to me
    > Nov 01 14:44:48 <seemant> as for my developers, I will stand by them
    > 100%; IF your box got hacked, it was NOT a gentoo developer or a
    > representative of gentoo
    > Nov 01 14:44:51 <seemant> hahaha
    > Nov 01 14:44:52 <seemant> you're funny
    > Nov 01 14:45:00 <th3mp> why ?
    > Nov 01 14:45:05 <seemant> I'd almost say you're cute, except for the
    > fact that you're annoying
    > Nov 01 14:45:15 <seemant> if you want co-operation, ask for it NICELY
    > Nov 01 14:45:18 <seemant> not with a threat
    > Nov 01 14:45:24 <th3mp> why wouldnt you help seems like that would be
    > the proper thing to do and the ethical one
    > Nov 01 14:45:33 <th3mp> there was no threat
    > Nov 01 14:45:34 <seemant> you never asked me for help
    > Nov 01 14:45:38 <seemant> not nicely, not any other way
    > Nov 01 14:45:46 <seemant> you spouted off about subpoenas straight off
    > Nov 01 14:45:53 <seemant> sorry, but that doesn't seem like "asking for
    > help"
    > Nov 01 14:46:01 <th3mp> perhaps, i didnt have the social skils to ask
    > you the way you wanted
    > Nov 01 14:46:06 <seemant> anyhow, I'm done, and I'm putting you on
    > /ignore now
    > Nov 01 14:46:17 <th3mp> okay seemant
    > **** ENDING LOGGING AT Sat Nov 1 14:52:00 2003
    >
    >
     
    a-wall, Nov 3, 2003
    #2
    1. Advertising

  3. Sponge

    donutbandit Guest

    a-wall <> wrote in
    news:wexpb.169$:

    > Hi, I have been in the business of administration for unix and Linux for
    > almost ten years now.
    > My laptop was hacked and in such a way that aide a free version of
    > tripwire was bypassed by a lib which was ld preloaded effecting the file
    > system. I was testing WIFI and my Iptables firewall was messed up for a
    > day.



    I thought Linux was completely safe. at least, that's what certain people
    would have you believe.
     
    donutbandit, Nov 3, 2003
    #3
  4. Sponge

    Jason Guest

    * donutbandit <>:
    > a-wall <> wrote in
    > news:wexpb.169$:
    >
    >> Hi, I have been in the business of administration for unix and Linux for
    >> almost ten years now.
    >> My laptop was hacked and in such a way that aide a free version of
    >> tripwire was bypassed by a lib which was ld preloaded effecting the file
    >> system. I was testing WIFI and my Iptables firewall was messed up for a
    >> day.

    >
    >
    > I thought Linux was completely safe. at least, that's what certain people
    > would have you believe.


    Only completly safe box is the one still in the packing box and you know
    it. Or maybe a standalone that's never on any network of any sort.

    Jason
     
    Jason, Nov 3, 2003
    #4
  5. Sponge

    Dazz Guest

    On 3 Nov 2003 19:12:18 GMT, donutbandit <> wrote:

    >a-wall <> wrote in
    >news:wexpb.169$:
    >
    >> Hi, I have been in the business of administration for unix and Linux for
    >> almost ten years now.
    >> My laptop was hacked and in such a way that aide a free version of
    >> tripwire was bypassed by a lib which was ld preloaded effecting the file
    >> system. I was testing WIFI and my Iptables firewall was messed up for a
    >> day.

    >
    >
    >I thought Linux was completely safe. at least, that's what certain people
    >would have you believe.


    Why would you say that?

    If a computer is networked, or even if someone has physical access to
    it, then it can't be truly regarded as safe.

    Security isn't something that can be narrowed down to just the
    Operating System.

    Most Operating Systems straight out of the box aren't secure (some
    more so than others).

    The reality is that there are all sorts of things that must be taken
    into consideration in regards to computer security, such as what
    services you're running on the box, what you're users are allowed to
    do, how well you keep the box patched etc etc etc.

    It's also important to realise that there is a difference between an
    Operating System being exploited, and, for instance, a daemon running
    on top of that Operating System.

    An example of this, would be say, Apache. Just because Apache has a
    vulnerability and can be open to exploit, does not mean that Linux was
    at fault (this is something that's often overlooked by Micro$oft
    biased media reports).

    And that's something a lot of people seem to forget.

    Having said that, this is more true regarding *nix boxes than Windows
    boxes, as Micro$oft usually develops the daemons listening on top of
    the Operating System as well ie IIS.

    Obviously, this isn't always the case as well, as there are third
    parties that develop daemons for Windows as well.

    Dazz
     
    Dazz, Nov 4, 2003
    #5
  6. Sponge

    Dazz Guest

    On Mon, 03 Nov 2003 10:34:41 -0800, a-wall <> wrote:

    <snipped>

    >I believe the attack originated from a #gentoo-sparc channel but I nuked
    >all my logs in a hurry to get the system back up.


    <snipped>

    > When I asked for help from the second in command at Gentoo Linux I
    > received none and the following is what i have so far.


    Why would you expect them to help you?

    Because you believe the attack originated from a #gentoo-sparc
    channel?

    If that's the case, then I'm not surprised that they haven't contacted
    you.

    Dazz
     
    Dazz, Nov 4, 2003
    #6
  7. Sponge

    a-wall Guest

    Sponge wrote:
    > On Mon, 03 Nov 2003 10:34:41 -0800, a-wall wrote:
    >
    >
    >>Hi, I have been in the business of administration for unix and Linux for
    >>almost ten years now.
    >>My laptop was hacked and in such a way that aide a free version of
    >>tripwire was bypassed by a lib which was ld preloaded effecting the file
    >>system. I was testing WIFI and my Iptables firewall was messed up for a
    >>day.
    >>
    >>I believe the attack originated from a #gentoo-sparc channel but I nuked
    >>all my logs in a hurry to get the system back up.
    >>
    >>I did a lsattr and /bin/ps /bin/netstat among other binaries had been
    >>changed to Immutable and md5sums didn't match the ones on record.
    >>
    >>I have most of the hacked system on my nfs server and am bringing it
    >>backup to watch traffic.
    >>
    >> the trojan was sending data to ip address 224.0.0.251 on port 5353
    >> I cannot find who owns this IP address and it could be a decoy.
    >>
    >> I replaced these to attempt to track down the hackers and the lib
    >> dissapeared but i still have hacked bonaries /bin/login etc on tape.
    >>
    >> I should have just left it alone so i didnt inadvertantly destroy
    >>evidence.
    >>
    >> When I asked for help from the second in command at Gentoo Linux I
    >> received none and the following is what i have so far.
    >>
    >>I and my legal aide came in as botched and themp/th3mp in this
    >>conversation.
    >>with seemant the second in command at gentoo.

    >
    >
    > Uh, after 10 years administering Unix and Linux, you should surely be
    > aware that the IP you mentioned is a multicast address.
    >


    Yes, I know its a multicast address I still have to troll a little for
    more information. As to validity of my logs If I where whome ever was
    questioning the validity of them try to get the valid logs from
    gentoo-sparc.

    and if you use the word Uh you must be 15 correct ?
     
    a-wall, Nov 8, 2003
    #7
  8. Sponge

    Jim Watt Guest

    On Fri, 07 Nov 2003 21:48:54 -0800, a-wall <> wrote:

    >and if you use the word Uh you must be 15 correct ?


    Uh no, I don't think he is, but he knows what the
    address block is.

    --
    Jim Watt http://www.gibnet.com
     
    Jim Watt, Nov 8, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Vince Castellano

    Gentoo Linux install problem...

    Vince Castellano, Sep 19, 2003, in forum: Computer Support
    Replies:
    4
    Views:
    672
    hugh jass
    Sep 21, 2003
  2. Boaby

    Installing Gentoo Linux on Macintosh OS X.

    Boaby, Jul 14, 2005, in forum: Computer Support
    Replies:
    2
    Views:
    678
  3. a-wall

    gentoo you decide

    a-wall, Nov 3, 2003, in forum: Computer Security
    Replies:
    4
    Views:
    415
    a-wall
    Nov 8, 2003
  4. steve

    Gentoo 1.4 Linux

    steve, Nov 3, 2003, in forum: NZ Computing
    Replies:
    2
    Views:
    397
    Evil Bastard
    Nov 7, 2003
  5. steve

    Gentoo Linux on PII-300 Laptop

    steve, Nov 10, 2003, in forum: NZ Computing
    Replies:
    13
    Views:
    626
    RecylerMan
    Nov 11, 2003
Loading...

Share This Page