[Wolves] Wolves Digest, Vol 269, Issue 8

Wayne waynelists at machx.co.uk
Sat Dec 6 12:13:24 UTC 2008

wolves-request at mailman.lug.org.uk wrote:
> Message: 1
> Date: Fri,  5 Dec 2008 15:56:03 +0000
> From: "Roundyz" <roundyz at hotmail.ru>
> Subject: Re: [Wolves] Hacking attempt - what next
> To: wolves at mailman.lug.org.uk
> Message-ID: <lgRSGWSzLDNV.0sv18CSS at mail.pochta.ru>
> Content-Type: text/plain; charset=US-ASCII
> 6 hours to get in, thats fast if the box wasnt being watched...do you think the box was random attacked? did the attacker brute force in, or did he have a key?

No, like a dimwit , I'd also set up a user to catch email for a one off 
event, let call him 'dave' and since I'm the only
one in the building, and don't use ssh , I'd set the password as 'dave' 
- doh. Tho the odds on someone trying all the users and then trying the
name as password must be low? Thats the way I assume they got in, the 
logs show about 3000 failed attempts. Oh and Romania ,not Russia.
They first tried to download a Windows file before moving to Linux 
stuff, and the content of one of the tars seems to indicate a spam package.

I've deleted the account and run a couple of rootkit detectors which 
seems to indicate it clean (and the payload files were all 2006 so I 
guess they must
be known about).
How hard is it to get control of root of system from a user account?

More information about the Wolves mailing list