Hi, i have been in the business of administration for unix and Linux for
almost ten years now.
I was my laptop was hacked and in such a way my aide a freee version of
tripwire was bypassed by a lib which was ld preloaded effecting the file
system, I was testing WIFI and got my Iptables firewall messedup for a day.
I believe the attack originated from a #gentoo-sparc channel but i nuked
all my logs in a hurry to get the system back up.
I /bin/ps /bin/netstat amung other had bee changed to Immutable and
md5sums didn't match the ones on record.
I have most of the hacked system on my nfs server and am bring it backup
to watch traffic.
the trojan was sending data to ip address 224.0.0.251 on port 5353
I cannot find who owns this IP address and it could be a decoy.
I replaced these to attempt to track down the hackers and the lib
dissapeared but i still have hacked bonaries /bin/login etc on tape.
I should have just left it alone so i didnt in advertantly desroy evidence.
When i asked for help from the second in command at Gentoo Linux i
received none and the following is what i have so far.
I and my legal aide cam in as botched and thempth3mp in this conversation.
with seemant the second in command at gentoo.
as follows
Nov 01 13:00:33 <botched> if i ask politely for logs concerning
conversations with themp from oct-12th through the 29th will gentoo be
so kind as to supply them ? also, i just need them for this channel.
Nov 01 13:01:24 <wesolows> botched: It seems Gentoo can't; if you trust
me, you can have mine, but they're not "official"
Nov 01 13:02:58 <botched> i would like yours even if not official. if
indeed the extent of damage is as is vast as we can tell so far a
subpoena will have to be issued.
Nov 01 13:03:23 <wesolows> oh dear
Nov 01 13:03:42 <botched> yes ,this is a very serious issue
Nov 01 13:03:58 <botched> it is already cost much money
Nov 01 13:04:01 <wesolows> sorry, I don't want any involvement then
Nov 01 13:04:15 <wesolows> even as an unofficial helpful provider of
personal logs
Nov 01 13:04:20 <botched> wesolows not even to give channel logs ?
Nov 01 13:04:43 <wesolows> no, I'm sorry, because they could be
incomplete, and there's no way to know if that's the case.
Nov 01 13:05:01 <botched> I personally think compiance from gentoo would
be a good thing for all sides
Nov 01 13:05:52 <botched> I cant untill i have investegated further, and
cannot disclose more information at this point in time.
Nov 01 13:06:02 <seemant> botched: what damage?
Nov 01 13:06:05 <seemant> and what issue?
Nov 01 13:06:25 <seemant> and don't you try and threaten people about
subpoenas and legal action
Nov 01 13:06:34 <seemant> if there's a problem, I'm the one to talk to
Nov 01 13:07:31 <seemant> botched: now, if you have something to say,
talk to me, and leave everyone else in here the HELL ALONE
Nov 01 13:07:32 <seemant> got me?
Nov 01 13:07:49 <botched> I would like to discuss this with you but not
on irc
Nov 01 13:09:14 <botched> seemant, themp's system was hacked on october
12th attack originating from an ip which frequests this #gentoo-sparc
irc channel
Nov 01 13:10:21 * `Kumba avoids formulating theories and goes to fetch
screwdriver handle
Nov 01 13:10:34 <seemant> botched: then you can very well email me
Nov 01 13:11:07 * xming checking his system for intruders
Nov 01 13:11:10 <botched> excuse me frequents
Nov 01 13:11:17 <seemant> botched: and, when you do, I want your full
name and your full credentials that I can personally verify
Nov 01 13:11:49 <botched> Seemant i am finished
Nov 01 13:12:13 * bazik looks at Epidemic
Nov 01 13:12:38 <seemant> botched: good, and I'll thank you to shut up
in this channel with the threatening of the people, in the future
and in private message with seemand second in command at gentoo.
**** BEGIN LOGGING AT Sat Nov 1 14:34:14 2003
Nov 01 14:34:16 <th3mp> yo
Nov 01 14:35:29 <th3mp> why do you hve such an issue with me tracking
down hackers do you have some kinda of policy at gentoo against this ?
Nov 01 14:35:37 --- Received a CTCP VERSION from bazik
Nov 01 14:36:39 >version< CTCP TH3MP
Nov 01 14:36:48 >th3mp< CTCP VERSION
Nov 01 14:36:48 --- Received a CTCP VERSION from th3mp
Nov 01 14:37:21 --- Received a CTCP VERSION from botched
[seemant has address
~seemant@ca-stmnca-cuda1-blade2a-82.stmnca.adelphia.net]
Nov 01 14:39:20 <seemant> you do what you have to do
Nov 01 14:39:21 <seemant> but
Nov 01 14:39:33 <seemant> you've been carrying on in completely the
WRONG way
Nov 01 14:39:54 <th3mp> okay then how ouwld you like me to carry on i
cant read your mind
Nov 01 14:39:55 <seemant> you do NOT come into the channel (a. fucking
pretending you're someone else) and b. threatening people with subpoenas
Nov 01 14:40:04 <seemant> carry on with civility
Nov 01 14:40:09 <seemant> NOT with threats
Nov 01 14:40:13 <th3mp> i m not doing anything or threatoning anything
Nov 01 14:40:20 <seemant> right now, all there is is your word that you
got hacked
Nov 01 14:40:22 <seemant> no proof
Nov 01 14:40:34 <seemant> and you come in here with threats about
calling lawyers and issuing subpoenas
Nov 01 14:40:45 <seemant> if you have intent to do that, then just do it
Nov 01 14:40:59 <seemant> don't come in here acting all macho and being
an ass about it
Nov 01 14:41:11 <th3mp> my lawyer will be online as soon as i set up a bnc
Nov 01 14:41:25 <th3mp> if that how you take it seemant that is your
issue not mine
Nov 01 14:41:31 <seemant> then let him come online
Nov 01 14:41:33 <th3mp> i am not being macho
Nov 01 14:41:39 <seemant> if you wish
Nov 01 14:41:47 <seemant> I'm done with the convo
Nov 01 14:42:07 <seemant> if your lawyer needs to contact ANYONE in the
channel, s/he contacts me first, as I am the one in charge of the channel
Nov 01 14:42:15 <th3mp> okay seemant why are you so upset anyways ?
Nov 01 14:42:18 <seemant> and like I told you before, full name and
verifiable credentials
Nov 01 14:42:29 <seemant> because I do not like your attitude th3mp
Nov 01 14:42:32 <seemant> that's why
Nov 01 14:42:38 <th3mp> seemant you dont make ecurity policies on
freenode and you dont own gentoo
Nov 01 14:42:48 <seemant> I own this channel
Nov 01 14:42:52 <seemant> simple as that
Nov 01 14:42:56 <th3mp> okay then you own this channel
Nov 01 14:43:03 <seemant> as far as owning gentoo, I am the second in
command at gentoo
Nov 01 14:43:14 <th3mp> thats nice to know
Nov 01 14:43:45 <seemant> and your box being hacked, is not a freenode
security policy
Nov 01 14:43:51 <seemant> it's a "your box" security policy
Nov 01 14:44:30 <th3mp> not if you dont wish you help by giving
information anyother distro who owns a channel would gladly give out
Nov 01 14:44:35 <th3mp> its like you have somthing to hide
Nov 01 14:44:46 <th3mp> at least thats how it looks to me
Nov 01 14:44:48 <seemant> as for my developers, I will stand by them
100%; IF your box got hacked, it was NOT a gentoo developer or a
representative of gentoo
Nov 01 14:44:51 <seemant> hahaha
Nov 01 14:44:52 <seemant> you're funny
Nov 01 14:45:00 <th3mp> why ?
Nov 01 14:45:05 <seemant> I'd almost say you're cute, except for the
fact that you're annoying
Nov 01 14:45:15 <seemant> if you want co-operation, ask for it NICELY
Nov 01 14:45:18 <seemant> not with a threat
Nov 01 14:45:24 <th3mp> why wouldnt you help seems like that would be
the proper thing to do and the ethical one
Nov 01 14:45:33 <th3mp> there was no threat
Nov 01 14:45:34 <seemant> you never asked me for help
Nov 01 14:45:38 <seemant> not nicely, not any other way
Nov 01 14:45:46 <seemant> you spouted off about subpoenas straight off
Nov 01 14:45:53 <seemant> sorry, but that doesn't seem like "asking for
help"
Nov 01 14:46:01 <th3mp> perhaps, i didnt have the social skils to ask
you the way you wanted
Nov 01 14:46:06 <seemant> anyhow, I'm done, and I'm putting you on
/ignore now
Nov 01 14:46:17 <th3mp> okay seemant
**** ENDING LOGGING AT Sat Nov 1 14:52:00 2003
