Some quick digging on the web, looking for "Neo the hacker" yields the
http://stead.boom.ru/vanish.txt - A little program which is relevant in this
http://www.neo-the-hacker.de/ - May be the guy you are looking for? In
http://www.neo-the-hacker.de/insec.html - With a presentation of him.
Relevance of these are up to yourself to decide. Same goes for what actions
to be taken next.
Hope you figure out how he got in. Has there been any other damage made to
the system, other than some deleted log entries/added binaries?
I must also (as others have done) to be using Tripwire. Not everyone is
doing that much even! Something else, that I still haven't seen anyone
suggesting, is to limit the hosts that are allowed to connect via SSH as
well. This would then _reduce_ your risks as well.
From: ilug-admin at linux.ie [mailto:ilug-admin at linux.ie]On Behalf Of Barry
Sent: 28 May 2002 15:34
To: Paul Kelly; ilug at linux.ie
Subject: Re: [ILUG] Possible hack?
Okay - the hacker likes to call himself "Neo the Hacker" (original or
He set up a directory called "pf0 " (five spaces) in the /dev
directory. In that, he set up another directory called " " (two
In this there resides a number of executibles - including a root
shell. Two text files, one storing the pid of the "crond " process,
and another containing information that must have been gathering.
Included in this are all instances of USER and PASS sent over the
network. (b at st@rd!)
My system is RH 7.2 with ALL UPDATES installed via up2date. Not sure
how he got in yet. The box is behind the UCD firewall with only ssh,
http, ftp (although no ftpd running) ports open (at least to my
Thanks Paul for your suggestions - but I think I'll skip the honey pot
route. Looks like it came from Britain anyway. Most likely I'll do a
complete reinstall of RH 7.3. (once I find the vulnerbility)
Ar an Tuesday 28 May 2002 13:56, scriobh tu:
> There's zero doubt you've been hacked of course. Don't trust the
> output of netstat. Use nmap from a remote machine. See if lsof has
> any information to offer. Make use of strace -p.
>> They may also have introduced a kernel loadable module (possibly
> hidden within either of those programs) which can keep a port open
> while hidden from userspace. It's also possible for it to be
> listening for comms on an altogether more devious level - hidden in
> ICMP packets that it might be listening to on a raw socket. Packets
> that you normally wouldn't think twice about. Kernel hacks can also
> hide processes and files, though if that were the case you'd
> probably not be seeing what you're seeing.
>> If you're interested in the honeypot route, I'd stick a 'network
> flight recorder' beside the machine, recording to disk every single
> packet in and out for later analysis.
>> Otherwise raze the box to the ground and reinstall from scratch.
> I'd recommend against a repair unless absolutely necessary.
Barry O'Donovan barry.odonovan at ucd.ie
Mobile: +353 (0)86 2891589, Office: +353 (0)1 716 2454
Roinn na Riomheolaiochta, An Colaiste Ollscoile, Baile Atha Cliath.
Department of Computer Science, University College Dublin.
Irish Linux Users' Group: ilug at linux.iehttp://www.linux.ie/mailman/listinfo/ilug for (un)subscription information.
List maintainer: listmaster at linux.ie
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!