<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
Hello--<BR>
<BR>
<BR>
While it doesn't hurt to double check for hackers, maybe even triple check, I also having been<BR>
hacked a while back, also for an ebay phishing scheme. They used my solaris machine.<BR>
<BR>
1. They "rootkit"'ed me. If you don't know what a rootkit is, you'd best learn now. You can pick<BR>
up rootkit detecting scripts and programs here and there. Use google. I'll guess that linux rootkits<BR>
are especially juicy!<BR>
2. They installed a backup test account, and had their own sshd daemon running.<BR>
3. They had a network password sniffer running.<BR>
4. They had an IRC chat server running.<BR>
5. They put in the files in the web doc space, imitating an ebay site, advertising a sweepstakes for a luxury car.<BR>
6. They sent out mass mailings pointing to my site (by IP).<BR>
7. Hundreds of folks responded. Somebody called me, and was horrified.<BR>
8. I moved the main sign-in file in the html dirs, and within a minute or two it was back.<BR>
9. I concluded that they were logged in and trying to keep the scam running as long as they could. I pulled the internet connection.<BR>
10. I began a thorough three-day postmortem. Almost everything they did kept logs. What fools!<BR>
11. I changed all passwords, and deleted the new accounts, and took all non-necc. daemons offline, and snapped a <BR>
firewalling router in front of the machine.<BR>
12. I found every file, <B><U>everything</U></B><U>,</U> and renamed them. Found the startups and reboot scripts and cron additions.<BR>
13. I studied every log. From their own sniffer logs, I got account names and passwords for THEIR <BR>
warez sites, They even left behind the tar files for their root kit. I learned a lot about rootkits. Most of<BR>
the normal commands you use are replaced with their variant. It's the same size, and has the same dates<BR>
on the files. But their versions of <B>ps</B> won't show the sshd proc, or sniffers, or IRC running. Their <B>ls</B> won't report<BR>
any of the dirs or files for the rootkit. Etc. I won't go into detail about what I did to them...<BR>
I found that having a spare ps and ls in some obscure dir isn't a bad thing to have, for such rainy days.<BR>
Running tripwire is a pain, but would turn up every installed file quickly, based on checksums.<BR>
14. In all of this, I filed FBI reports, and kept ebay appraised. As far as I could tell, the FBI showed absolutely no response.<BR>
For all I know, the FBI web site is purely for stats. And the FTC doesn't respond to anything either. I guess this is small-time<BR>
stuff, and they are saturated. But, no-one could point a finger at me or my employer, and say we were complicit. I did<BR>
not destroy any evidence...<BR>
<BR>
Apparently thousands (note the plural) of such scams are executed every month. It'd be hard for any law enforcement<BR>
organization to keep up.<BR>
<BR>
---But, one (or two) errant emails aren't necc. an indication that you have been hacked! There are a lot of viral emails floating <BR>
around that take addresses from addressbooks, and use random selections for both the recipient and sender. Strange<BR>
things happen when viral emails bounce, especially when one of the parties runs out of disk space, and bounce messages<BR>
start flying. IT NEVER HURTS TO CHECK, tho!<BR>
<BR>
murf<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<TT>You've likely been hacked.</TT><BR>
<BR>
<TT>I have recently had a similar incident where a hacker guessed my root</TT><BR>
<TT>password (MY BAD) and set up an ebay password skimming site.</TT><BR>
<BR>
<TT>I noticed it when I got similar non-deliverable email messages.</TT><BR>
<BR>
<TT>Obviously, first change your password and then look at the /var/www/html</TT><BR>
<TT>directory and see if there are unwelcome pages there. Also be sure to check</TT><BR>
<TT>who is logged in currently. I caught the (*%#@ SOB logged in and bounced</TT><BR>
<TT>the bastard.</TT><BR>
<BR>
<TT>For what it's worth, the hacker's IP address was: 81.12.141.150.</TT><BR>
<BR>
<BR>
<TT>Karl Putz</TT><BR>
<BR>
<TT><FONT COLOR="#737373">>-----Original Message-----</FONT></TT><BR>
<TT><FONT COLOR="#737373">>From: <A HREF="mailto:asterisk-users-bounces@lists.digium.com">asterisk-users-bounces@lists.digium.com</A></FONT></TT><BR>
<TT><FONT COLOR="#737373">>[mailto:<A HREF="mailto:asterisk-users-bounces@lists.digium.com">asterisk-users-bounces@lists.digium.com</A>]On Behalf Of Jean-Louis</FONT></TT><BR>
<TT><FONT COLOR="#737373">>curty</FONT></TT><BR>
<TT><FONT COLOR="#737373">>Sent: Thursday, February 10, 2005 9:10 AM</FONT></TT><BR>
<TT><FONT COLOR="#737373">>To: Asterisk Users Mailing List - Non-Commercial Discussion</FONT></TT><BR>
<TT><FONT COLOR="#737373">>Subject: [Asterisk-Users] asterisk@home scary log</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>Hi everybody,</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>I'm testing asterisk@home 0.4,</FONT></TT><BR>
<TT><FONT COLOR="#737373">>looks great so far</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>I was working when I have been alerted by a bip comming from the * pc...</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>I connected a screen to it and saw that there was a message which</FONT></TT><BR>
<TT><FONT COLOR="#737373">>looked like :</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>Message from syslogd@asterisk1 at Thu Feb 10 09:01:00 2005 ...</FONT></TT><BR>
<TT><FONT COLOR="#737373">>asterisk1</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>so I stopped asterisk, type mail and got a strange mail saying that</FONT></TT><BR>
<TT><FONT COLOR="#737373">>user <A HREF="mailto:xxxx@yahoo.com">xxxx@yahoo.com</A> could not be reached and body was like if it was</FONT></TT><BR>
<TT><FONT COLOR="#737373">>the result of commands ifconfig etc</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>unfortunally I don't have the message anymore but I went to the log</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>and saw this</FONT></TT><BR>
<TT><FONT COLOR="#737373">>Feb 9 20:30:07 asterisk1 sendmail[10088]: j1A1U7mf010088:</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT>from=<<A HREF="mailto:root@asterisk1.local">root@asterisk1.local</A>>, size=329, class=0, nrcpts=1,</TT></FONT><BR>
<TT><FONT COLOR="#737373">>msgid=<<A HREF="mailto:200502100130.j1A1U7Q1010071@asterisk1.local">200502100130.j1A1U7Q1010071@asterisk1.local</A>>, proto=ESMTP,</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT>daemon=MTA, relay=asterisk1.local [127.0.0.1]</TT></FONT><BR>
<TT><FONT COLOR="#737373">>Feb 9 20:30:07 asterisk1 sendmail[10071]: j1A1U7Q1010071:</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT><A HREF="mailto:to=paym3now@gmail.com">to=paym3now@gmail.com</A>, ctladdr=root (0/0), delay=00:00:00,</TT></FONT><BR>
<TT><FONT COLOR="#737373">>xdelay=00:00:00, mailer=relay, pri=30049, relay=[127.0.0.1]</FONT></TT><BR>
<TT><FONT COLOR="#737373">>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7mf010088 Message accepted for</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT>delivery)</TT></FONT><BR>
<TT><FONT COLOR="#737373">>Feb 9 20:30:07 asterisk1 sendmail[10077]: j1A1U7CY010077:</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT><A HREF="mailto:to=paym3now@gmail.com">to=paym3now@gmail.com</A>, ctladdr=root (0/0), delay=00:00:00,</TT></FONT><BR>
<TT><FONT COLOR="#737373">>xdelay=00:00:00, mailer=relay, pri=30068, relay=[127.0.0.1]</FONT></TT><BR>
<TT><FONT COLOR="#737373">>[127.0.0.1], dsn=2.0.0, stat=Sent (j1A1U7Ns010089 Message accepted for</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT>delivery)</TT></FONT><BR>
<TT><FONT COLOR="#737373">>Feb 9 20:30:17 asterisk1 sendmail[10094]: j1A1U7Ns010089:</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT>to=<<A HREF="mailto:paym3now@gmail.com">paym3now@gmail.com</A>>, ctladdr=<<A HREF="mailto:root@asterisk1.local">root@asterisk1.local</A>> (0/0),</TT></FONT><BR>
<TT><FONT COLOR="#737373">>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30348,</FONT></TT><BR>
<TT><FONT COLOR="#737373">>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT>1107998984)</TT></FONT><BR>
<TT><FONT COLOR="#737373">>Feb 9 20:30:17 asterisk1 sendmail[10093]: j1A1U7mf010088:</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT>to=<<A HREF="mailto:paym3now@gmail.com">paym3now@gmail.com</A>>, ctladdr=<<A HREF="mailto:root@asterisk1.local">root@asterisk1.local</A>> (0/0),</TT></FONT><BR>
<TT><FONT COLOR="#737373">>delay=00:00:10, xdelay=00:00:10, mailer=esmtp, pri=30329,</FONT></TT><BR>
<TT><FONT COLOR="#737373">>relay=gsmtp171.google.com. [64.233.171.27], dsn=2.0.0, stat=Sent (OK</FONT></TT><FONT COLOR="#737373"> </FONT><FONT COLOR="#737373"><TT>1107998984)</TT></FONT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>the thing is i did not send any message to <A HREF="mailto:paym3now@gmail.com">paym3now@gmail.com</A> nor to</FONT></TT><BR>
<TT><FONT COLOR="#737373">>somebody at yahoo,</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>anybody got the same ? what can I do ??</FONT></TT><BR>
<TT><FONT COLOR="#737373">></FONT></TT><BR>
<TT><FONT COLOR="#737373">>thanks</FONT></TT><BR>
<TT><FONT COLOR="#737373">>jl</FONT></TT>
</BLOCKQUOTE>
</BODY>
</HTML>