Re: [cobalt-users] Hacked Raq3 - some symptoms

[flash22@xxxxxxx]

On Sat, 24 Feb 2001, vijay wrote:
> Following is the one which Hacked my system.
> 
> Feb 18 16:23:20 xxxxxx named[6270]: starting (/etc/named.conf).  named
> 8.2.3-RE
> L Fri Feb  9 19:22:23 EST 2001 ^Iroot@choke:/tmp/update/src/bin/named
> <mailto:^Iroot@choke:/tmp/update/src/bin/named> 

Cute, he updated bind for you -/ Hint that that is probably how he got in
also....

> Feb 20 13:36:36 xxxxx useradd[10783]: new group: name=named, gid=25
> Feb 20 13:36:36 xxxxx useradd[10783]: new user: name=named, uid=25,

> This is how the hacker created a new user. I have removed this entry

no, he just was being complete, making a user for bind -/

he already had root access ...

> Feb 20 13:37:34 xxxxx init: Switching to runlevel: 6
> Feb 20 13:37:34 xxxxx mgetty[610]: failed dev=ttyS0, pid=610, got signal
> 15, exiting

He's not too Raq savvvy tho, runlevel 6 isn't right ...

> Feb 20 13:37:42 xxxxx named[371]: named shutting down

lol...shot hisself in the foot

> Feb 24 05:15:01 xxxxx inetd[8722]: execv /usr/sbin/in.identd: No such
> 
> This entry is there everywhere. Just wondering what is this> Is this
> file really missing??

That's a result of replacing your inetd.conf, you didn't have this in the
original...

I'd hazard a guess that the ftp logins have nothing to do with this guy...

> In general, the attempt has been to try for the IP address and if not
> possible, for the Host Name.

I suspect the fellow who got in went right for the nameserver without
touching anything else....

(But save everything , you never know what might turn out to be usefull
evidence....)

gsh