Today someone just happened to ask on the GRLUG list where logins are logged. I thought the answer was cool, so Iooked at my laptop. The first thing I noticed was that someone had tried logging in with about 45 usernames, mostly people’s first names. I thought this was funny until I saw that “james” had successfully logged in.
Several months ago I created that account for my friend James while he was sitting next to me, so he could grab some stuff from my laptop. I think I left the passwd as “james” so it would be easy, thinking I’d delete it later. I didn’t, and here I am today with my laptop being a DDOS tool. My own stupid fault.
The nice part is that the guy who did it is a RANK amateur. He didn’t hide anything. The .bash_history file was intact for “james” and I was able to look at everything he did, track it all down, and delete it. I don’t really believe I got it all, so I’ll be re-installing, but that’s what I deserve for being ST00000000000PID!
He downloaded a file from Russia, and one from Romania, and unpacked them in my /tmp dir and ran them. They talked to some haX0r sites around the net, saying who knows what, and that was it. It’s probably just sitting there waiting for someone to pull the trigger.
I deleted all the stuff I could find initially, so I don’t think he can use me at the moment.
Oh, and he logged in from eggburt.positive-internet.com
Unless you know for *certain* that keystroke loggers and password sniffers weren’t installed, you also need to treat any system you accessed from your laptop as suspect. Was a rootkit used? Which one?
When was the compromise made? Starting from then, make a list of every place you logged in. That includes FTP, SSH, email, websites, etc. Those passwords all need to be changed. For remote systems that you have shell, you should also run chkrootkit as an extra precaution. You want to be certain you’ve cleaned everything, or you may find problems popping up again a week from now.