The Pumpkin Incident
Another gem destined for the misty clouds of legend until we all realised that Singer's sad enough to keep all these records, this incident remains intriguing despite it being not as well known as other incidents in our society's wonderful and coloured history.
While Singer refers to the incident as the 'Jerry/Spock/Hacker d00d incident', I'm calling it the Pumpkin Incident because it seems to make more sense.
Below is the file Singer held onto.
Hey.
The Jerry/Spock/Hacker D00D incident.
Summary: User "Pumpkin"'s password is on a list, somewhere on the internet, and Irish cracker types know it. (Knew it, it's since been changed). Pumpkin had not changed her password since first year (And actively changed password back to old password). Her old password is now presumed to have been sniffed at some stage, and two (or more) people logged into her account from EsatClear accounts, from these logs.
From "last pumpkin". pumpkin ftp 194.145.134.224 Wed Jan 5 02:34 - 03:10 (00:35) pumpkin ttyp0 cao.link.hea.net Wed Jan 5 02:18 - 03:09 (00:50) pumpkin ttyp3 cao.link.hea.net Wed Jan 5 00:43 - 00:59 (00:15) pumpkin ftp 194.145.134.242 Tue Jan 4 22:46 - 23:02 (00:15) pumpkin ftp 194.145.130.147 Tue Jan 4 22:44 - 23:00 (00:16) pumpkin ttyp3 194.145.130.147 Tue Jan 4 22:30 - 23:14 (00:43) pumpkin ttyp9 194.145.134.242 Tue Jan 4 22:09 - 23:19 (01:09) pumpkin ttyp3 194.145.130.147 Tue Jan 4 22:08 - 22:30 (00:22)
From auth.log. Jan 4 22:08:08 enigma login: login from airlock147.esatclear.ie on ttyp3 as pumpkin Jan 4 22:09:52 enigma login: login from e-airlock242.esatclear.ie on ttyp9 as pumpkin Jan 4 22:30:56 enigma login: login from airlock147.esatclear.ie on ttyp3 as pumpkin Jan 5 00:43:50 enigma login: login from cao.link.hea.net on ttyp3 as pumpkin Jan 5 02:18:50 enigma login: login from cao.link.hea.net on ttyp0 as pumpkin
I won't go into every detail, and I don't know every detail, but Jerry saw Pumpkin logged in last night, and heyed hello. He got a bit suspicious, and noted some odd processes she was running.
pumpkin p3 cao.link.hea.net 12:43AM - showmount 127.0.0.1 pumpkin p0 cao.link.hea.net 2:18AM - rpcinfo -p www.leet.com pumpkin 96591 0.0 0.2 1096 812 ?? Is 2:34AM 0:00.10 ftpd: e-airlock224.esatclear.ie: ...-> pumpkin: LIST\r\n (ftpd) pumpkin 96591 0.0 0.2 1096 812 ?? Ss 2:34AM 0:00.15 ftpd: e-airlock224.esatclear.ie: ...-> pumpkin: STOR VeteScan-12-26-99.tar.gz\r\n (ftpd)
He had a hunch it was some dodgy cracker kind, and noticed the Irish IP, so went to
- hackers_ireland on dal.net (Actually, he's there quite a bit anyway).
Low and behold, there was somebody on at that IP, Jon went on, confronted him, (sheet_leet is a dodgy nick ;) ) he logged out of our system immediately.
On hearing some of this, I tarred Pumpkins account (see /root/pumpkin.incident, a few log file snippets in there, admin folk). In it was a root kit (untarred, too), a .rhosts file and a netcat download.
The root kit is full of Linux binarys, it had no FreeBSD ones. It seems it didn't even run - On running some of it, the first thing it did was compile up nmap (A port scanner, committee kids ;) ) and put .o files all over the place - It was a very unprofessionally put together kit, it was --prefixed to /usr/local :) (Wouldn't a hidden directory in /tmp be a little nicer - No silly errors! Also, why bother with a make install, sheesh.)
When Jon confronted him about being on our system, and earlier today too by Jerry, it seems he wanted a shell and somewhere to store stuff... There doesn't seem to be any evidence of anything done to our system, I didn't see anything in the root kit which threatened system security.
On the other hand, I've made two changes to the system to help admins in situations like this again.
1. the files ftp'ed are logged - It'd be nice to see exactly what was put on our system... Though they could use lynx to get around it, or mail, etc. 2. Attempts to get to network ports that aren't in use (insecure services, RPC etc.) are logged.
I've got to reccomend running the kernel in securemode too - It'll break the default make world mechanism, but you can get around it without too much bother [1] and [2].
How about we do this after the 3.4 upgrade (I thought that was happening yesterday? :) )? It'll break mounting of filesystems in multiuser mode, along with access to kernel/phyiscal memory, thus semi-fixing the earlier Jerry in group kmem problem :) (Well, he won't have write access, and won't have been able to take over peoples logins.)
_Nothing_ in Pumpkins account was touched, it seems, asides from those few uploads, and the .rhosts file (Pah, as if that'd work).
Incidentally, on seeing that we had got a dodgy login from cao.link.hea.net, I got in contact with Dave Wilson in HEANET, and let him know - They're onto it, I passed as much info. as I could over to him, he was very appreciative.
I don't think that there's any other passwords out there, certainly not the passwords from Wibble's Freshers day package, which is where Pumpkins password comes from - There were no other dodgy logins from esat or attempted ones from any Irish ISP around that time (though we had a "root" and "admin" attempt from somewhere earlier that day), so I think it was more than likely sniffed from a Internet Cafe or some other insecure box in between Pumpkins home when she telnets in, etc. etc. - There's lots of ways to get passwords off telnet users.
One cannot praise enough the alertness of Jerry, and how much of a future "Shadow" he is, and the balls of Spock, confronting the poor chap ;)
There are gaps in the story, and perhaps one or two jumps of logic where I haven't filled in a hole in the detail - I've read a lot of IRC logs today, and have heyed Jerry and Jon alot :)
Brian.
[1] http://www.nothing-going-on.demon.co.uk/FreeBSD/make-world/make-world.html [2] http://www.freebsd.org/~jkb/howto.html
--Emperor
Originally from the Encyclopedia