Cracked! Part 7: The Cracker's Revenge
"well you should probably thank me anyway, those disks needed
a major clean up :)"
Early one morning I had either just gotten up or was in that
early morning state where you are laying there almost asleep
when the phone started ringing. Crawling over to the phone I picked
it up and croaked out a hello. On the line was the Executive
Director of our community network. He had gotten up and found
that he could not login to our machines and called me. I mumbled
something to him and dialed in to check things out.
When I connected I found that I could login as root to our main
machine but could not connect as my regular user account. I ran the
df command to see what file systems were mounted. To my surprise
and sleepy mind all the file systems
that should have been mounted were. Looking more closely I noticed
that some of these file systems showed that they were empty! I ran
the df command again. It showed that some of the file systems had
grown smaller. I realized to my horror that all of the
file systems that contained user home directories were being removed!
Doing a ps I did not see any rm -rf processes, so I started trying to
login to the other boxes. When I tried to login to our mail server
it would not let me login at all.
When I told the Executive Director what was going on, to my relief he
had called me from the building that our servers were located in. In
somewhat of a panic I told him to unplug the machines. He asked what
do I unplug? I said unplug everything!
In hindsight I could have dealt with the problem with something less
of a shotgun (or grenade) approach. There were some pluses in the way I
did it. Some of the rm -rf's effects may not have been written to
disk when we pulled the plug. Of course it risked file system
corruption, but that turned out to be the least of our problem.
I drove into town and met the Executive Director at our
servers. I made sure that we were unplugged from the net and powered
up our mail server. When it came up I found that the root account
was gone and I could not login. I played with the boot prom on this
machine (an alpha) for a while until I figured out how to make it boot
into a maintenance mode that ran a shell as root. Once I had that
shell I tried to edit the password file but was having a hard time
doing so due to terminal problems caused by the maintenance mode. I
ended up just copying the password file to a backup and using echo to
add a root account.
Once I had a root account back I rebooted to get things back to a more
normal mode. When the machine was back up I started poking around
and found in the .sh_history that the cracker had started a rm -rf
process for each file system and placed them in the background to run.
On by one I brought up the other machines and started looking at them
it did not look like he had cracked any of the others. It appeared
that he had cracked one machine and started destroying things
The most important thing destroyed was that most of the user home directories
had been removed. In addition to this the custom software had all
been removed and the software packages that we had spent so much time
compiling and configuring had also been removed. It was going to
take a long time to repair all of this but nothing compared to the
time the rebuild had taken.
Turning to my sniffer logs I looked to see if I could tell how he had
cracked the mail server and if he had left any more back doors. It
looked like what had happened was that he had placed a back door program
in a home directory on the machine that allowed logins and then used an
exploit in statd that executed the back door as root. The back door was
a program that listened on the network and when you connected to it
gave you a root shell. It also looked like as soon as he was able to
connect as root he started removing everything that he could find.
Once I had a good idea of how he had gotten in I started working to
recover the system. The first thing I started was recovering the
user data from our backup tapes as this was the part that I was most
Murphy's law is in full force when you have to recover things from
tape and is compounded when the tapes and drives you have are old and
each tape drive was different because they all were donated.
The first problem we found with the tapes was that the disk space in
use had exceeded the space available on the tape and not all of the
directories were on the recent tapes. The second was that not all of
the old tapes worked. I had manually made a few backups of all the
users configuration files and their public_html directories in a tar
file and this was still on some of our tapes. So almost all of the
users web pages were recovered. On the
down side most of the mail in the mail spool was gone and some users
had lost almost all their files.
While the tapes were restoring things I started rebuilding the rest of
had lost. This was much easier than the first time as we had not lost
everything and I had done this once before and did not have to repeat all of
the learning curves.
We had been running statd mainly because the pop server we were using
required us to run it as part of NFS. So as you can expect I went
looking for a new
popd. Finding one that did the job and did not require statd was not
that hard and I cursed the fact that I had not done it in the first
In turned out that Digital Unix did not fix this bug in statd for six
more months. The open source versions were already fixed at the time
we were cracked. It is interesting to me that even with these sorts
of evidences there is still a large group of computer managers that
avoid open source software due to "support issues".
Once we had the hole secured by turning statd off we connected back to
the Internet and turned our services back on as we
installed/configured. It was not long after we started running our IRC
server again that the cracker showed back up to talk about his conquest.
He starts off this conversation bragging and happy about the damage he
has done. The other people and myself are angry and as the
conversation went on became more and more angry.
I have changed the names of the other people in the conversation
and edited it to remove a lot of side conversations and comments. It
has also been edited for length to shorten it down to the most
He tells us all about how we made him do these things and that it is
all our fault. Little children talk like this. If you ask them why they
do something what you hear is a tale about how the other person is at
fault because they made them do it. We are all responsible for our
Cracker - hey, noel, ol' buddy
Cracker - what a surprise
* Cracker grinz
User2 - Cracker boy was about to tell us about hacking and stuff
Cracker - dont u wish
Noel - You know I thought you had class and skill.
Cracker - i do
User1 - he has absolutely no class.
Cracker - well, skill at least :)
Noel - Lots oh skill it takes to type rm -rf
Cracker - u know at some point its the only thing u can type
He continues by telling us how he was unfairly treated in our IRC and
how this justified his revenge. Again it is not his fault we made him
do it. He also makes some amazing statements such as asking us if we
think we own this place. Why yes I guess we do.
Cracker - your friend didn't leave me any other choice
Noel - hah. That is the path that leads down a sad sad life
Noel - so you planned to do it it was not just an impulse?
User1 - how bout a path to jail jail jail?
Cracker - u pissed noel? what the hell did u expect?
* Cracker is sorry he didn't do it in december
Noel - I think that you planned to do it anyway, that Admin1 was just
the excuse. Is that right?
Cracker - i wouldnt have done it if he agreed to my demands
Noel - those were not demands they where just crap
Cracker - well you should probably thank me anyway, those disks needed
a major clean up :)
Noel - Tell me the truth if you have any in you... you just in it for
the power trip right?
Cracker - noel the truth is i do what i say
Cracker - noel: and there is more damage that can be done :)
Noel - like what?
Cracker - Admin1 you know i wanted to avoid the trouble and all that
and i'd have even settled down for you staying around but just
removing the cops from irc
The cop system he is referring to is the IRC operator system. On our
little IRC it had been formalized and had multiple layers of power. I
personally thought that too many people did get a little power on IRC
and then turn into little hitlers. Not that this excuses what the
Cracker - but u refused
Cracker - soooo... u want war... you got it
* Cracker is armed and dangerous
Noel - crap and more crap
Noel - you where planning this all along from when we came down in dec
Cracker - noel one way or another i aint leaving u alone while Admin1 is
here.. and thats ur problem not mine
Noel - no it's your problem
Noel - but only one of many I am sure
Cracker - i was treated badly by the irc staff here 2 years ago.
Cracker - just tell me how pissed u are because of what was done? i
couldnt care less
Cracker - who cared when i was banned from here etc?
Noel - heh no grudge just a power game
Admin1 - you were treated fairly
Cracker - i was NOT.
Cracker - who the fuck are you to judge me?
Cracker - u think u own this place?
Noel - after all your such a nice guy who would treat you bad
Cracker - my friends and i were treated unfairly
Noel - You don't like a place you leave not try to burn it down
Cracker - and the cop system is wrong
Cracker - its got to go
As I have said as this went on I became more and more angry. At some
point the conversation degenerated into name calling. I have skipped
most of that.
Cracker - and it will go
* Cracker has burned a lot of stuff in his time
Cracker - but i owned ur sorry ass for half a year
This was one of the things that I wish I had not said. Not because it
came back to haunt me but because I said it just to try to get at him
to hurt him back in the only way I could and that is not the kind of
person I want to be. Turning the other cheek can get very hard sometimes.
Noel - so what you had root big shit
Cracker - it's pretty big shit considering u didnt know about it
Noel - buy a linux cd then you can have root gosh
Cracker - lemme see u have root on my computer without me
knowing... u wont laast even one minute
Cracker - lamer
Noel - oh man yeah that is hard to lock down a single user machine
gosh that takes skill
Noel - you probable have to know how to use pico or something to do
Cracker - i want u to DIE!
Cracker - and u will :)
Cracker - sooner or later
Cracker - heheheh
* Cracker fears noel's eleet /noexec skillz
USER2 - odd phonetic mispellings identifies Cracker as a member of the
Cracker - Y3a|-| 3Y3 aM a 31337 |-|@KK3R d00d!@#
Noel - oh what skill he has he knows the elite codes
Cracker - what does power mean if someone else gave it to u? nothing.
Cracker - i have the power cuz i have knowledge
Cracker - while u folks are just a bunch of clueless lamerz
Noel - but no one took our power gosh
Cracker - noel: not yet.
Noel - heh. You know I bet you are the saddest and most alone person
Admin1 - the lil prick finally showed himself for what he was when he started deleting our system
I think that one of the reasons that I was so angry was that I had
started liking the cracker when I had been talking to him before the
second crack and the removal of all he could get at. I really had not
believed that he would have done something like that and the truth did
hurt. I could see myself if life had gone differently for me cracking
some machines for the challenge and the excitement. To learn and become
an expert. But I could not imagine trashing a machine like he had done.
Admin1 - that is how he get is kicks
Cracker - but i bet i'm the smartest one too
Cracker - and the craziest
Cracker - so there
Noel - not crazy just sad
Cracker - noel what crap?
Cracker - or what was crap
Noel - all the crap you told me when you were pretending to be a
skilled unix guy
Cracker - yeah noel i just fooled you! i'm really a lamer. no skillz
Cracker - i'm an 11 year old that gets his skriptz from www
Cracker - fear my 31337 altavista searching skillz.
Noel - he is so skilled that he talks in irc rather than having a job
Cracker - oh yeah i forgot all the eleet craquer typez get their
infoz from bugtraq
Cracker - noel i really dont know what your doing in here. i got
nothing against u, it's nothing personal u know
If there is a Denial of Service creed this might be it.
Noel - You know I had respect for you before you got destructive
Cracker - so you can say what ever, i'm just going to ignore you. i
dont take stuff personally unless it hurts me.
Noel - But I have learned to my sadness that I was wrong about you
Noel - complete wrong.
Cracker - noel: i dont really care for your opinion on me
Cracker - i feel content when i can do a lot of damage with very
Cracker - its like, i waste 10 hours, and make you folks waste 1000
hours for that
Cracker - it's pretty effective.
Noel - we are not wasting our time
Cracker - noel: you sure are. the system now is pretty much the same
as before.you didn't learn anything.
One of the people that lost the most work in this is labeled in these
conversations as Admin1. He had been working on a set of user help
files and other things like this that had been in his home directory
and were completely lost. He had been pretty upset and depressed by
this loss and I am sure that the following conversation did not help.
Cracker - u should all thank me, the disks were full of useless
shit from 4 years ago
Cracker - Admin1: your home directories were especially full of shit, i
trashed them first to make sure they were gone
Cracker - arent u proud of me?
Cracker - i looked at Admin1 files though.. they were shit
Cracker - hey btw... i made a backup of the home dirs of the staff on
here a while back.. i can let u have some of the files back if u beg
Admin1 - OK...I beg you to give me the help files back
Admin1 - satisfied?
Cracker - Admin1: i have those files
Cracker - :)
Admin1 - OK...I begged. now you do your part
Cracker - i think i even have them on my own computer... lemme check
Screen paste of list of files
Cracker - is that it Admin1?
Admin1 - yep ... appears to be
Cracker - i have it.
Cracker - u can try to haq me :)
Cracker - letz see how 31337 u r
Cracker - lets face it Admin1... u knew what was gonna happen if u
didnt agree to any of my demands.... so dont blame me ok
After these series of conversations we just stopped hearing from the
Cracker. It would have been a nicer end to have police kick in his
door and arrest him. But when it comes down to it, there are lots of
problems tracking people down over the net and convicting them of a
crime. To email some script kiddie's provider and have his account
turned off does not require the same levels of proof that the police
are required to use to secure a conviction.
To the best of our knowledge he never cracked us again. In
the very least if he did crack us he kept a low profile and did no
noticeable damage. We did have a couple of smurf attacks that may have
been from him but we were not sure.
If there was one lesson that I would highlight from all the lessons I
learned from these events it would be that you must secure your own
systems, police your own yard. If you do not then you are going to be
cracked and once you are there may be nothing that you can do but
yourself. The net is still a wild and unpoliced wilderness
full of script kiddies and crackers.