Back to Cracked, Wiped, Recovered, and Curious.
This page tracked another repeat visitor to the honeypot, one who turned out to be more competent than fone.
Related Pages
Synopsis
- Logins:
a,b (uid=0) - Passwords: blank
- Home Directory:
/usr/lib/.blunt - Observed IPs:
207.181.147.50on2000-11-2638.37.0.36on2000-11-29
- Attack:
sunrpc,portmapon2000-11-24
Diary
Dec 09, 2000
blunt “secured” my system for me. He cleaned up the machine with this patch helper and an ftp script.
The original page also linked a blunt.tar.gz rootkit archive, but that file
is not present in the recovered source tree.
At the time I wondered whether he was a good Samaritan who hacked insecure systems and cleaned them up, or just a hacker who wanted privacy.
Extracted session text:
Nov 29, 2000
blunt came back.
Extracted session text:
He finally found hunt and fortune and
managed to remove them. I still do not think he understood how they worked.
Poor fone. blunt wiped out his home directory.
I also sent notices to postmaster@YORKCITY.ORG, postmaster@NETRAX.NET, and
postmaster@psi.com to see how long it would take them to respond.
Nov 26, 2000
blunt looked a little sharper than fone. He got
in through sunrpc, checked whether he had been there before, then unpacked a
toolkit in /dev/.blunt.
The original page linked a tcpdump for this visit as well. That capture is also missing from the recovered archive, though the page recommended this fallback command for inspecting the traffic:
tcpdump -nr 975117774.tcpdump -w - | strings