This was prompted after 303.org was compromised, and a sniffer found. That sniffer showed that a SSH backdoor was installed, and the user account 'tacd' logged into elite.sekurity.org, and obscure.sekurity.org Below is relevant output, along with the mail sent to netcom (which has not been answered to date). Since this incident, three people have independantly verified the indivudal behind the attacks (including the RM of skillz.303.org) was Eric Ginorio (aka Bronc Buster). All attempts to contact the admin of his site, the system he used to connect to obscure on another incident, have received no response. The second incident shows where Eric later connected directly to obscure, logged in for several hours, etc. =-= host: elite tacd pts/2 skillz.303.org Fri Jan 30 20:28 still logged in =-= host: obscure tacd ttyp4 skillz.303.org Fri Jan 30 23:49 - 23:55 (00:06) tacd ttyp2 skillz.303.org Fri Jan 30 21:31 - 23:24 (01:52) Jan 30 21:31:30 obscure sshd[7610]: log: Connection from 206.124.26.47 port 21050 Jan 30 21:31:41 obscure sshd[7610]: log: Password authentication for tacd accepted. Jan 30 22:37:12 obscure sshd[8301]: log: Connection from 206.124.26.17 port 1023 Jan 30 23:48:45 obscure sshd[9322]: log: Connection from 206.124.26.47 port 20794 Jan 30 23:48:59 obscure sshd[9322]: log: Password authentication for tacd accepted. Jan 30 23:55:02 obscure sshd[9322]: log: Closing connection to 206.124.26.47 =-= host: obscure user: tacd file: ~/.ncftp/history o netcom.com quit get chole.tgz del chole.tgz quit =-= host: obscure user: tacd file: ~/.ncftp/log netcom.com at Fri Jan 30 23:51:48 1998 get 1.28 kB ftp://netcom.com/u1/zeelan/chole.tgz =-= host: obscure command: ls -R /home/tacd total 31 drwx--x--x 3 tacd users 1024 Feb 3 00:51 ./ drwxr-xr-x 25 root root 1024 Jan 29 19:01 ../ -rw------- 1 tacd users 32 Dec 3 12:02 .bashrc -rw------- 1 tacd users 238 Dec 3 12:02 .forward-if-proc -rw-r--r-- 1 tacd users 34 Dec 3 12:02 .less -rw-r--r-- 1 tacd users 114 Dec 3 12:02 .lessrc drwxr-xr-x 2 tacd users 1024 Jan 30 23:51 .ncftp/ -rw------- 1 tacd users 10598 Dec 7 11:35 .pinerc -rw------- 1 tacd users 10598 Dec 3 12:02 .pinerc7 -rw------- 1 tacd users 287 Dec 3 12:02 .procmailrc-if-proc -rw-r--r-- 1 tacd users 388 Dec 3 12:02 .profile .ncftp: total 6 drwxr-xr-x 2 tacd users 1024 Jan 30 23:51 ./ drwx--x--x 3 tacd users 1024 Feb 3 00:51 ../ -rw-r--r-- 1 tacd users 137 Jan 30 23:51 bookmarks -rw-r--r-- 1 tacd users 51 Jan 30 23:51 history -rw-r--r-- 1 tacd users 94 Jan 30 23:51 log -rw-r--r-- 1 tacd users 308 Jan 30 23:51 prefs =-= host: obscure command: find / -user tacd -print ./tmp/.341.1807 ./var/spool/mail/zen ./var/man/man/cat1/cut.1.gz ./var/man/man/cat1/lynx.1.gz ./var/man/man/cat8/route.8.gz ./home/tacd ./home/tacd/.less ./home/tacd/.lessrc ./home/tacd/.profile ./home/tacd/.pinerc7 ./home/tacd/.bashrc ./home/tacd/.pinerc ./home/tacd/.procmailrc-if-proc ./home/tacd/.forward-if-proc ./home/tacd/.ncftp ./home/tacd/.ncftp/log ./home/tacd/.ncftp/prefs ./home/tacd/.ncftp/history ./home/tacd/.ncftp/bookmarks ./etc/sendmail/tacd ./etc/sendmail/tacd/tacd.com ./etc/sendmail/tacd/tacd ./etc/sendmail/tacd/boozebros ./etc/sendmail/tacd/cotx ./etc/sendmail/tacd/censored ./etc/sendmail/tacd/ic ./etc/sendmail/tacd/lie ./etc/sendmail/tacd/site =-= >From root@sekurity.org Tue Feb 3 00:23:03 1998 From: root To: security@netcom.com, abuse@netcom.com Date: Tue, 3 Feb 1998 01:06:40 -0700 (MST) Subject: security breach on obscure.sekurity.org & netcom.com Sometime on Jan 30th, a host on the 303.org network was compromised. From there, a sniffer was installed and a login/password to obscure.sekurity.org was captured. (The sniffer was actually a modified ssh daemon, as telnet is not allowed to this system). The unknown attacker logged into user account 'tacd' here, and one of his/her actions were to ftp to netcom.com and retrieve a file. In the ftp history they did a "get" and "del" on this file, so it is most likely not there. As we all know, this doesn't necessarily mean user "zeelan" was the culprit, and if not, his/her account has been compromised as well. The file "chole.tgz" does not exist on this system any longer. If you have any relevant logs that would help identify who is behind these attacks, I would appreciate it. netcom.com at Fri Jan 30 23:51:48 1998 get 1.28 kB ftp://netcom.com/u1/zeelan/chole.tgz Thank you for your help... sekurity.org admin staff