lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040609175255.GD534@phobos.fs.tum.de>
From: Simon.Richter at hogyros.de (Simon Richter)
Subject: Possible First Crypto Virus Definitely Discovered!

Hi,

> Also, right before I wrote this message I blocked port 443 in and out on our
> firewall at the bank! I will be going over these servers very carefully
> tonight to look for anything wacky or goofy.

This kind of reminds me of one fine day, when I was greeted by the words

       "This system has been hacked by the Goblin-Hacking group".

Needless to say, I instantly came back from my vacation, turned up on
the site at 2am only to be greeted by another sysadmin who also just
cancelled his vacation. We compared the system against the daily backups
and came to the conclusion that only the MOTD had been modified (that's
why we keep four versions of each file, cryptographically timestamped).
Puzzled, we began to investigate. The local logs showed only a logon by
another sysadmin, and in his home directory, there was a .bash_history
reading:

dff				# Huh?
df				# okay.
emmaks				# WTF?
emacs /etc/motd			# not installed, duh!
vi /etc/motd			# Heh.
rm /var/log/syslog		# Permission denied.
rm -f /var/log/syslog		# Permission denied.
rm .bash_history		# Yeah, right.
exxxx				# no comment.
exit

This was the point where we decided to go upstairs to the office for a
beer, only to find two other admins (one of which the account belonged
to) had obviously been drinking up everything we had in the fridge.

It took me a whole two days to get the image of our drunken sysadmins
hacking on innocent Goblins out of my mind (can't people at least
interpunctuate correctly?).

Since that day, occasionally users ask why the MOTD reads: "This system
has NOT been hacked by the Goblin-Hacking group". :-)

   Simon

(Lessions learned: You can save a lot of time by
 - Having multiple cryptographically timestamped versions of every file
 - Using BSD securelevels and append-only logfiles)

-- 
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040609/a625e88d/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ