From: Kerry Gray
Newsgroups: alt.sysadmin.recovery Subject: Quality time with script kiddies Date: 11 Sep 1999 18:04:43 GMT G&S were right: a sysadmin's lot is not a happy one. I return from Hawaii (first real vacation in three years -- the PFY I left behind had to call me only once) and like a good shepherd I look over my flock in the machine room. One nameserver has filled its log partition, and is generally acting strange. 'netstat' shows over a hundred outbound telnet sessions, mostly SYN_WAITing. Naughty server, _I_ do the telnetting around here. Hmmm, lots of processes named 'bla' running. Logs are trashed, so I turn to that command that is so often the bane of script kiddies: # history [snip] cd /usr/lib/libx/... ../bla -s 134.*.*.* >134 [later on] more 134 ftp ../bla -s 128.*.*.* >128 Fsckwit actually tells me his IP#. It's from a dialup block in de.ibm.net. I have his address, but email@example.com will want timestamps. I look at /usr/lib/libx/... to see what else might be there. Oh look, he's left his kit bag, a 1.5MB file named 'backi^M' Isn't that cuuute, he thinks a ^M will slow me down... It's a tar file with all his 'special' versions of telnetd, tcpd, etc. Now I know exactly what to replace. I still need that timestamp, though. Kill all the bla sessions, think about all the embarrassing e-mail I'll be getting from cert.org, llnl.gov, etc. It's apparently a German site, so I replace his log file '128' with a nice note in fractured German explaining how sex with a real woman is more satisfying than fscking with a computer, and someday he might get lucky and find that out once his acne clears up, etc. I fire up tcpdump on another host and wait for k3wl haxrr d00d to pick up his '128' file. The next day the log shows one use of the 'special' telnetd. I examine my tcpdump: [login without user name via 'special' telnetd] cd /usr/lib/libx/... w [wouldn't want somebody watching you, right?] ls -la [everything's still here] more 128 [check out the results] ....my note, ending with the famous Zitat, 'leck mich im Arsch' ls -la [am I looking in the right file?] more /etc/inetd.conf /etc/sylog.conf [was I discovered?] more 128 [just can't believe his eyes...has to read it again] more /var/log/* [desperate searching] more ~/.sh_history [the truth dawns...] more ~/.bash_history ....all his activities laid bare ln /dev/null ~/.bash_history [right, nobody will _ever_ notice that] w ls -la ....about a five minute pause... rm -rf [packs up to leave, but leaves the '...' directory for some reason] [gotta wonder why he didn't just rm -rf /] I send the tcpdump file to firstname.lastname@example.org. A small victory, made easier by idiot d00dz. I read my e-mail, and compose a contrite letter to those 134.x.x.x sites that wrote to me. I fire up a replacement server and all is well once more.