Up [UP]

Quality time with script kiddies

From: Kerry Gray 
Newsgroups: alt.sysadmin.recovery
Subject: Quality time with script kiddies
Date: 11 Sep 1999 18:04:43 GMT

G&S were right:  a sysadmin's lot is not a happy one.

I return from Hawaii (first real vacation in three years -- the PFY I 
left behind had to call me only once) and like a good shepherd I look 
over my flock in the machine room.  One nameserver has filled its log 
partition, and is generally acting strange.  'netstat' shows over a hundred 
outbound telnet sessions, mostly SYN_WAITing.  Naughty server, _I_ do the 
telnetting around here.  Hmmm, lots of processes named 'bla' running.  
Logs are trashed, so I turn to that command that is so often the bane of 
script kiddies:

# history
cd /usr/lib/libx/...
../bla -s 134.*.*.* >134
[later on]
more 134
../bla -s 128.*.*.* >128

Fsckwit actually tells me his IP#.  It's from a dialup block in 
de.ibm.net.  I have his address, but abuse@ibm.net will want timestamps.  
I look at /usr/lib/libx/... to see what else might be there.  Oh look, 
he's left his kit bag, a 1.5MB file named 'backi^M'  Isn't that cuuute, 
he thinks a ^M will slow me down...  It's a tar file with all his 
'special' versions of telnetd, tcpd, etc.  Now I know exactly what to 
replace.  I still need that timestamp, though.  Kill all the bla 
sessions, think about all the embarrassing e-mail I'll be getting from 
cert.org, llnl.gov, etc.  It's apparently a German site, so I replace his 
log file '128' with a nice note in fractured German explaining how sex 
with a real woman is more satisfying than fscking with a computer, and 
someday he might get lucky and find that out once his acne clears up, 
etc.  I fire up tcpdump on another host and wait for k3wl haxrr d00d to 
pick up his '128' file.  

The next day the log shows one use of the 'special' telnetd.  I examine 
my tcpdump:

[login without user name via 'special' telnetd]
cd /usr/lib/libx/...
w [wouldn't want somebody watching you, right?]
ls -la [everything's still here]
more 128 [check out the results]
....my note, ending with the famous Zitat, 'leck mich im Arsch'
ls -la [am I looking in the right file?]
more /etc/inetd.conf /etc/sylog.conf [was I discovered?]
more 128 [just can't believe his eyes...has to read it again]
more /var/log/* [desperate searching]
more ~/.sh_history [the truth dawns...]
more ~/.bash_history 
....all his activities laid bare
ln /dev/null ~/.bash_history [right, nobody will _ever_ notice that]
ls -la
....about a five minute pause...
rm -rf [packs up to leave, but leaves the '...' directory for some reason]
[gotta wonder why he didn't just rm -rf /]

I send the tcpdump file to abuse@ibm.net.  A small victory, made easier 
by idiot d00dz.  I read my e-mail, and compose a contrite letter to those 
134.x.x.x sites that wrote to me.  I fire up a replacement server and all is 
well once more. 

Doobee R. Tzeck
Created: Mon Sep 13 19:07:48 CEST 1999
Last modified: Mon Sep 13 19:10:05 CEST 1999