Up
Quality time with script kiddies
From: Kerry Gray
Newsgroups: alt.sysadmin.recovery
Subject: Quality time with script kiddies
Date: 11 Sep 1999 18:04:43 GMT
G&S were right: a sysadmin's lot is not a happy one.
I return from Hawaii (first real vacation in three years -- the PFY I
left behind had to call me only once) and like a good shepherd I look
over my flock in the machine room. One nameserver has filled its log
partition, and is generally acting strange. 'netstat' shows over a hundred
outbound telnet sessions, mostly SYN_WAITing. Naughty server, _I_ do the
telnetting around here. Hmmm, lots of processes named 'bla' running.
Logs are trashed, so I turn to that command that is so often the bane of
script kiddies:
# history
[snip]
cd /usr/lib/libx/...
../bla -s 134.*.*.* >134
[later on]
more 134
ftp
../bla -s 128.*.*.* >128
Fsckwit actually tells me his IP#. It's from a dialup block in
de.ibm.net. I have his address, but abuse@ibm.net will want timestamps.
I look at /usr/lib/libx/... to see what else might be there. Oh look,
he's left his kit bag, a 1.5MB file named 'backi^M' Isn't that cuuute,
he thinks a ^M will slow me down... It's a tar file with all his
'special' versions of telnetd, tcpd, etc. Now I know exactly what to
replace. I still need that timestamp, though. Kill all the bla
sessions, think about all the embarrassing e-mail I'll be getting from
cert.org, llnl.gov, etc. It's apparently a German site, so I replace his
log file '128' with a nice note in fractured German explaining how sex
with a real woman is more satisfying than fscking with a computer, and
someday he might get lucky and find that out once his acne clears up,
etc. I fire up tcpdump on another host and wait for k3wl haxrr d00d to
pick up his '128' file.
The next day the log shows one use of the 'special' telnetd. I examine
my tcpdump:
[login without user name via 'special' telnetd]
cd /usr/lib/libx/...
w [wouldn't want somebody watching you, right?]
ls -la [everything's still here]
more 128 [check out the results]
....my note, ending with the famous Zitat, 'leck mich im Arsch'
ls -la [am I looking in the right file?]
more /etc/inetd.conf /etc/sylog.conf [was I discovered?]
more 128 [just can't believe his eyes...has to read it again]
more /var/log/* [desperate searching]
more ~/.sh_history [the truth dawns...]
more ~/.bash_history
....all his activities laid bare
ln /dev/null ~/.bash_history [right, nobody will _ever_ notice that]
w
ls -la
....about a five minute pause...
rm -rf [packs up to leave, but leaves the '...' directory for some reason]
[gotta wonder why he didn't just rm -rf /]
I send the tcpdump file to abuse@ibm.net. A small victory, made easier
by idiot d00dz. I read my e-mail, and compose a contrite letter to those
134.x.x.x sites that wrote to me. I fire up a replacement server and all is
well once more.
Doobee R. Tzeck
Created: Mon Sep 13 19:07:48 CEST 1999
Last modified: Mon Sep 13 19:10:05 CEST 1999