Interesting Hack

MaB · #1 08-02-2002, 05:24 PM

We had a spare machine runnig redhat 7.2 get hacked by something.hispeed.ch

The machine is having an odd problem now, can anyone recognize it. (We will be removing the HD to study and putting in a fresh one shortly)

The machine goes online and offline for a few hours at a time at random times. The machine isnt frozen, but you cant ping it from an outside network. BUT once a machine on the same network pings the machine, it comes online to everyone....
hm....

I know the user ftp'd in, unfortunately we didnt have logging enabled. I just did today. Im leaving the system up to track him. md5 checksums show none of the main binaries are compromised....

Does anyone know any known hack that will affect the network access as described above?

Thanks

**JTY** · #2 08-02-2002, 05:55 PM

Sounds like power management is enabled in the BIOS. And, the machine is going to Sleep/Standby, and when a machine on the local lan pings it, it's like Wake On Lan.

Course, I think APM can be enabled from within Linux.

MaB · #3 08-02-2002, 05:57 PM

hmmm.. thats interesting

But why would a ping to the same ip address from a machine on the same switch wake it up rather than one on a seperate network?

Side question, Im thinking about going to redhat 7.1 from 7.2 because ive never been hacked using 7.1 only 7.2....

Starhost · #4 08-02-2002, 07:48 PM

Wake on lan works only on local lans. Not external onces. That's way a remote ping may not work. In the meantime just keep sending a ping once in a while from a local server. So that the server stay's up

MaB · #5 08-03-2002, 08:58 PM

Quote:

Originally posted by JTY
Sounds like power management is enabled in the BIOS. And, the machine is going to Sleep/Standby, and when a machine on the local lan pings it, it's like Wake On Lan.

Course, I think APM can be enabled from within Linux.

Is there a way to disable this from linux directly or can it only be done via the BIOS? (the APM thing)

edit.... stupid me

/etc/rc.d/init.d/apmd -
stopping it will do what exactly?

/etc/sysconfig/apmd found:
NET_RESTART="yes"
that is it shuts it down when it suspends, i changed it to no, lets see if it works.

Crossing my fingers

esdjco · #6 08-03-2002, 09:32 PM

I would love to have a box to track a hacker. I love watching. ;-)

MaB · #7 08-03-2002, 09:39 PM

Looking back, it was no hacker. Person just got in via FTP using users in the default install of redhat 7.2 - we've cleared the password files of uneeded entries and they're out

I would still like to know which user but i got ahead of myself and just wanted them out

I am now looking into setting up a honeypot