Random Access - Tuesday, March 28, 2000

We wuz hacked...
The perils of being a Linux newbie...

by Chris Gulker

"Basically, you're f----d."

These were the words of my friend and colleague Mark Anderson. Mark is one of the smartest and most technologically literate people I know.

And he minces few words.

At issue were a couple other words I noticed while playing with my Linux computer. For the uninitiated, the Linux operating system, unlike a Windows or Mac machine, is often operated from a simple text interface called a command line. Linux lets you flip back through the most-recently typed commands as a convenience. As I was flipping one evening, I arrived at this line:

[root@magellan /]# adduser bonez

The two words after the '#' form the command that instructs Linux to add a user to a system. Problem was, I don't know anybody named 'bonez'. And I sure didn't remember adding bonez to my computer's user list.

Mark confirmed it in an email: I'd been hacked.

Truth is, I'm not much of a Linux expert - certainly not the way Mark is. I am inordinately interested in computers and computing, even get called a geek sometimes (not considered an insult here in Silicon Valley). But mostly, I stick to my Macintosh - the computer for "the rest of us".

However, Linux, the free operating system, is one of the first fruits of a world that has recently become globally connected. So I bit the bullet, bought a cart full of parts and built my own Linux computer. It wasn't as hard as it sounds, and magellan.gulker.com (the machine's Internet hostname) has been up, and on the Net, ever since.

But using an advanced operating system that was created by and for the Mark Andersons of this world is another matter. Linux is as complex and non-intuitive as it is powerful. Despite recent, worthy attempts at making Linux more accessible, it remains fiendishly technical.

My copy of "Linux for Dummies" is well-thumbed but weeks go by without a log-in to the Linux machine. By me, anyway. However, that didn't seem to bother bonez. He was logging in just fine.

Mark gave me a few tips on how to become a Linux detective by reading log files. Linux records all sorts of information about what's happening in the system - it makes it easier for programmers to figure out what's going on. I dug into one of the many system logs that Linux maintains and found confirmation:

Mar 2 14:45:37 magellan adduser[5279]: new user: name=bonez, uid=504, gid=504, home=/dev/.d, shell=/bin/bash

Well now, here I was being a veritable Tsutomu Shimomura hot on the trail of my own personal Kevin Mitnick. Shimomura tracked down Mitnick in 1995 in perhaps the most celebrated hacking event ever. Mitnick, was only recently released, this past January, from a U.S. Federal prison.

The pursuit was on. The second line says that bonez had created a directory for himself called ".d"- at 14:45 GMT (6:45 in the morning hereabouts). A directory is the Linux equivalent of a folder on a Mac or Windows machine and the period in front of the "d" meant that the directory would be invisible in a casual scan. Linux hides files whose names start with a period. Fiendish!

The directory was also tucked away in a funny place "dev" - most users' files are kept in a directory called "home". A more revealing listing of bonez' directory presented the following:

-rw------- 1 bonez bonez 129417 Mar 2 14:47 egg.config -rwxr-xr-x 1 bonez bonez 491060 Nov 29 15:20 httpd

Now, it's taken me a while to make sense of Linux directory listings, and by this time I had a couple dozen sheets of log and directory printouts all over my desk. These are clearly bonez' files, as evidenced by the twin columns for owner of the files.

The actual filenames are the last words on each line. One that jumped out at me was "httpd", which is the name of a Linux program. "httpd" is the actual Linux name for a Web server program.

Why, I wondered, would bonez bother to upload his own copy of a Web server, when every Linux distribution comes with the Apache Web server built in? Then it hit me: maybe bonez was running his own Web server on my machine. I quickly logged myself in as bonez and typed the Linux command "ps", which reveals which programs are currently running. Sure enough! Bonez had a httpd process, Linuxese for program, running.

Ohmigod! Was Bonez running a porn site on my computer, over my Net connection, using my domain name? Or worse, was he maybe auctioning credit card numbers from my machine? The file "egg.config" was a long list of things that appeared to be encrypted. Many lists of credit card numbers stolen from Internet ISPs and others are stored in encrypted form.

I was getting, real nervous. I quit bonez program. I changed his password. I emailed Mark for more advice, and included some of the evidence I'd turned up, hoping he'd render a verdict. Major porn ring? International credit-card runners? Worse?

Nope. I was being used to run something called 'eggdrop', which is an Internet chat server favored by hackers but banned by most ISPs. Mark explained:

he just use[s] you to bounce an IRC connection. You [don't] have enough bandwidth or disk to be attractive to steal, and you aren't famous enough to be defaced

Ouch. Excuse me, I have to go to Amazon.com for my copy of "Maximum Security Linux"...

Random Access | www.gulker.com | Help/Info

editor@gulker.com This page was last built with Frontier on a Macintosh on Tue, Mar 28, 2000 at 8:07:59 AM.