[SunHELP] Tracking Hacker ?

James Fogg sunhelp at sunhelp.org
Wed Apr 25 08:07:14 CDT 2001 

My guesses:
Someone at work runs a packet analyzer (sniffer). With telnet (ie:
rapeme_im_stupid) running and someone rooting from the Internet you are wide
open. 

Or, someone on the internet used a packet analyzer and caught the
cleartext password for root (if your buddy uses cable/dsl, just shoot yourself).

They don't appear very sophisticated if they didn't modify the file access time
for motd. Run SSH exclusively and your console traffic will be reasonably
secure. You should even run SSH on your routers (Cisco supports SSH, maybe
others do too).

Another hint, since you're a Director of Netops, tighten up your security and
study intrusion methods (or hire someone cluefull). Even a firewall is no
protection, just a delaying tactic.

btw... no firewall at work? AND its a communications company (I hope you do
better for your customers)? My suggestion is get a firewall or get a new job.
When someone cleans your companies clock the bigdude will ask why it happened.
You will have no good answer.

On Tue, 24 Apr 2001, THOU SPAKE:
> Well, uhhh, no .. unfortunately I have no firewall protecting this
> machine.  It is a machine I have colocated at my place of work.  It is
> used as a webserver and mail server - nothing more.  I generally shut off
> all ports like telnet, ftp, etc but for some reason when I set this one up
> I didn't - I think it's because the other guy who has root said I was to
> paranoid and told me to keep telnet open ?  
> 
> Nothing was out of the usual for /etc/passwd.  In fact, after this had
> happened, I also locked accounts that aren't ever used temporarily because
> if they aren't used - do they need to be active? :)  
> 
> I'll check with our system administrator no the log thing, but I'm willing
> to be we keep no logs on our router.
> 
> I'll keep lookin' around perhaps looking for all / any files modified on
> "Apr 24" at 18:52 or so.. Otherwise, from the looks of it, the ONLY file I
> see that were touched so far were /etc/motd, /var/adm/messages and the
> wtmp or utmp files I assume since there is nothing in "last" ... 
> 
> Thank you!  I know, I know.. I need to get tighter security on EVERY
> machine on the net.  The only "SECURE SERVER" is one that is not plugged
> in :)
> 
> 
> Jeff Feller
> Director of Network Operations
> BitZ Communications
> P.O. Box 157
> Surrey, ND  58785
>

More information about the SunHELP mailing list