[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040609175255.GD534@phobos.fs.tum.de>
From: Simon.Richter at hogyros.de (Simon Richter)
Subject: Possible First Crypto Virus Definitely Discovered!
Hi,
> Also, right before I wrote this message I blocked port 443 in and out on our
> firewall at the bank! I will be going over these servers very carefully
> tonight to look for anything wacky or goofy.
This kind of reminds me of one fine day, when I was greeted by the words
"This system has been hacked by the Goblin-Hacking group".
Needless to say, I instantly came back from my vacation, turned up on
the site at 2am only to be greeted by another sysadmin who also just
cancelled his vacation. We compared the system against the daily backups
and came to the conclusion that only the MOTD had been modified (that's
why we keep four versions of each file, cryptographically timestamped).
Puzzled, we began to investigate. The local logs showed only a logon by
another sysadmin, and in his home directory, there was a .bash_history
reading:
dff # Huh?
df # okay.
emmaks # WTF?
emacs /etc/motd # not installed, duh!
vi /etc/motd # Heh.
rm /var/log/syslog # Permission denied.
rm -f /var/log/syslog # Permission denied.
rm .bash_history # Yeah, right.
exxxx # no comment.
exit
This was the point where we decided to go upstairs to the office for a
beer, only to find two other admins (one of which the account belonged
to) had obviously been drinking up everything we had in the fridge.
It took me a whole two days to get the image of our drunken sysadmins
hacking on innocent Goblins out of my mind (can't people at least
interpunctuate correctly?).
Since that day, occasionally users ask why the MOTD reads: "This system
has NOT been hacked by the Goblin-Hacking group". :-)
Simon
(Lessions learned: You can save a lot of time by
- Having multiple cryptographically timestamped versions of every file
- Using BSD securelevels and append-only logfiles)
--
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD ADC6 18A0 CC8D 5706 A4B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040609/a625e88d/attachment.bin
Powered by blists - more mailing lists