lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <008101c49c6d$0dc3f190$35891518@zephyr>
From: micah at style.net (Micah McNelly)
Subject: Severe exploit found, all UNIX are affected!

Don't feed the animals.

/m

----- Original Message -----
From: "Billy B. Bilano" <mr.bill.bilano@...il.server.unix.bill.bilano.biz>
To: <full-disclosure@...ts.netsys.com>
Sent: Thursday, September 16, 2004 12:54 PM
Subject: [Full-Disclosure] Severe exploit found, all UNIX are affected!


> Dudes,
>
> Bad news today. Oh my goodness! I am in a tizzy-fit over this! I am such
> an expert at system administrating but even the best of us fall from
> glory now and then. And let me tell you, this is one time I believe
> somebody got the best of me... and that somebody is a fellow named
Charles!
>
> It all started when my big OpenBSD box took a dumper and I got paged. So
> I get into the bank and start to look around and I poke and prod the box
> and then I log into it and run the appropriate debug tools (ls, ps, top,
> cut, etc. -- pun not intended). I notice, at long last, that the console
> messages were not lying... the hard drive was indeed full! (you can
> never be too sure about that sort of thing as everybody will agree)
>
> The offending file was the previous administrator (Stan, who got fired
> when I became IT director because he was a puss and always joked about
> beer and had a picture of some baby looking at teats saying "lunch" on
> his cube wall -- that offended me as a larger man). So his old
> administrator account has a huge mail spoolball that is taking up 80% of
> the drive! Holy crappers! So I logged in as "stan" and used his password
> he gave me in exchange for his severance package. I typed "mail" hoping
> to see if this would let me view his mail and it did -- thankgod! What I
> saw scared the holy mole dickens out of me...
>
> Thousands of emails! As I started reading them, I realized the full
> extent of what is, without a doubt, going to become known as the biggest
> and most notorious hack in the history of the Internet!
>
> Northcutt better take out that section about the Mitnik attack in that
> terrible book he is always rehasing with only a spit-shine and fancy new
> cover because here comes something leaner and meaner! (I have re-bought
> that nut's book eight times and it is always the same old cruft over and
> over but there wont be a ninth purchase, you bet your pink pajamas!)
> Someone needs to tell him that SANS is not the MANS! LOL!
>
> This is BIG, folks! The mails... there were big ones and small ones and
> they all had one thing in common: they were from a person who would soon
> be determined to be a master hacker who has obviously infiltrated the
> bank's system long ago, before I even canned Stan (he was such a chump
> and always lost his wallet because he wore those baggy hacker pants).
>
> It seems that this black head hacker, named Charlie Root, has been busy
> alright... Every night, like clockwork, he sends me a few emails that
> contain the most intimate of details about the server! Drive space,
> logins, users I've created and removed, and more! I think he is trying
> to extort money from the bank!
>
> I was scared to hell to raise any red alarms at the bank so I started to
> look around and I believe I found out who this Charlie Root person
> really is:
>
>
http://www.baseballlibrary.com/baseballlibrary/ballplayers/R/Root_Charlie.st
m
>
> It seems that old Chinski used to play baseball for the Brown Cubs back
> in his youth. Clearly, from reading about his shoddy career, he was
> washed up as his stats are terrible by modern standards and he retired
> from the game in 1970! Now, as is abundantly clear, he has reached a
> desperate point in his life and is now devoting his time to taking over
> the world's infrastructure and trying to do phishy things and extort
> money from gallant administrators like myself.
>
> I looked into the front directory on my server and saw a folder called
> "root"! OMGF! I dove into his folder and saw all kinds of hacker files
> (like some thinger called ".bash_history" which seems to contain a list
> of commands he uses to take over the system, and ".forward" which
> contains Stan's email address). There were also tarballers for other
> things that look like old log backups! Incredible! I tried to delete
> some of these trojan files but it said I could not! I did some more
> looking around and found another startling fact: Charlie Root has
> changed my shell! It is not sh like it should be, it has been set to
> "stsh" which it certainly some kind of backdoor hacker tool to capture
> my strokes!
>
> Normally I would just reboot the server but this time, since I was at
> lunch, I decided to play around with my EMACKS script on my new Sun
> 6800's and, by chance, I saw that almost every file on the system was
> already owned by the "root" fellow! He has the guile to call himself
> "Super-User!" when I fingered (LOL) his account! We have only had these
> systems for a little over a month and this Charlie Root has already
> taken over every UNIX server in the bank!
>
> This may be the end of our company if I cannot get this hacker out of
> our systems and expunge the network of this wretched "root" Chinski
> thing. I will not bow to his extortion attempts!
>
> Someone please tell me what I should do next!
>
> P.S. My bloglog has more background info and stuff about Chinski's
> involvement in Y2000K... <http://www.bilano.biz/>
>
> --
> Mr. Billy B. Bilano, MSCE, CCNA
> <http://www.bilano.biz/>
> Expert Sysadmin Since 2003!
> 'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ