# RootPrompt.org   Nothing but Unix.[Home] [Features] [Programming] [Mac OS X] [Search]

 Feature: Cracked! Part 7: The Cracker's Revenge

This is the seventh part of the story of a community network that was cracked and what was done to recover from it.

In this article I explain what the Cracker did when he broke back in, our recovery from this, talking to the cracker afterwards and bring the story to a close.

 (Submitted by Noel Mon Jul 10, 2000 )

Cracked! Part 7: The Cracker's Revenge

"well you should probably thank me anyway, those disks needed a major clean up :)"
-- Cracker

Early one morning I had either just gotten up or was in that early morning state where you are laying there almost asleep when the phone started ringing. Crawling over to the phone I picked it up and croaked out a hello. On the line was the Executive Director of our community network. He had gotten up and found that he could not login to our machines and called me. I mumbled something to him and dialed in to check things out.

When I connected I found that I could login as root to our main machine but could not connect as my regular user account. I ran the df command to see what file systems were mounted. To my surprise and sleepy mind all the file systems that should have been mounted were. Looking more closely I noticed that some of these file systems showed that they were empty! I ran the df command again. It showed that some of the file systems had grown smaller. I realized to my horror that all of the file systems that contained user home directories were being removed! Doing a ps I did not see any rm -rf processes, so I started trying to login to the other boxes. When I tried to login to our mail server it would not let me login at all.

When I told the Executive Director what was going on, to my relief he had called me from the building that our servers were located in. In somewhat of a panic I told him to unplug the machines. He asked what do I unplug? I said unplug everything!

In hindsight I could have dealt with the problem with something less of a shotgun (or grenade) approach. There were some pluses in the way I did it. Some of the rm -rf's effects may not have been written to disk when we pulled the plug. Of course it risked file system corruption, but that turned out to be the least of our problem.

I drove into town and met the Executive Director at our servers. I made sure that we were unplugged from the net and powered up our mail server. When it came up I found that the root account was gone and I could not login. I played with the boot prom on this machine (an alpha) for a while until I figured out how to make it boot into a maintenance mode that ran a shell as root. Once I had that shell I tried to edit the password file but was having a hard time doing so due to terminal problems caused by the maintenance mode. I ended up just copying the password file to a backup and using echo to add a root account.

Once I had a root account back I rebooted to get things back to a more normal mode. When the machine was back up I started poking around and found in the .sh_history that the cracker had started a rm -rf process for each file system and placed them in the background to run.

On by one I brought up the other machines and started looking at them it did not look like he had cracked any of the others. It appeared that he had cracked one machine and started destroying things immediately.

The most important thing destroyed was that most of the user home directories had been removed. In addition to this the custom software had all been removed and the software packages that we had spent so much time compiling and configuring had also been removed. It was going to take a long time to repair all of this but nothing compared to the time the rebuild had taken.

Turning to my sniffer logs I looked to see if I could tell how he had cracked the mail server and if he had left any more back doors. It looked like what had happened was that he had placed a back door program in a home directory on the machine that allowed logins and then used an exploit in statd that executed the back door as root. The back door was a program that listened on the network and when you connected to it gave you a root shell. It also looked like as soon as he was able to connect as root he started removing everything that he could find.

Once I had a good idea of how he had gotten in I started working to recover the system. The first thing I started was recovering the user data from our backup tapes as this was the part that I was most worried about. Murphy's law is in full force when you have to recover things from tape and is compounded when the tapes and drives you have are old and each tape drive was different because they all were donated.

The first problem we found with the tapes was that the disk space in use had exceeded the space available on the tape and not all of the home directories were on the recent tapes. The second was that not all of the old tapes worked. I had manually made a few backups of all the users configuration files and their public_html directories in a tar file and this was still on some of our tapes. So almost all of the users web pages were recovered. On the down side most of the mail in the mail spool was gone and some users had lost almost all their files.

While the tapes were restoring things I started rebuilding the rest of what we had lost. This was much easier than the first time as we had not lost everything and I had done this once before and did not have to repeat all of the learning curves.

We had been running statd mainly because the pop server we were using required us to run it as part of NFS. So as you can expect I went looking for a new popd. Finding one that did the job and did not require statd was not that hard and I cursed the fact that I had not done it in the first place.

In turned out that Digital Unix did not fix this bug in statd for six more months. The open source versions were already fixed at the time we were cracked. It is interesting to me that even with these sorts of evidences there is still a large group of computer managers that avoid open source software due to "support issues".

Once we had the hole secured by turning statd off we connected back to the Internet and turned our services back on as we installed/configured. It was not long after we started running our IRC server again that the cracker showed back up to talk about his conquest.

He starts off this conversation bragging and happy about the damage he has done. The other people and myself are angry and as the conversation went on became more and more angry.

I have changed the names of the other people in the conversation and edited it to remove a lot of side conversations and comments. It has also been edited for length to shorten it down to the most relevant parts.

Cracker - hey, noel, ol' buddy
Cracker - what a surprise
* Cracker grinz
User2 - Cracker boy was about to tell us about hacking and stuff
Cracker - dont u wish
Noel - You know I thought you had class and skill.
Cracker - i do
User1 - he has absolutely no class.
Cracker - well, skill at least :)
Noel - Lots oh skill it takes to type rm -rf
He tells us all about how we made him do these things and that it is all our fault. Little children talk like this. If you ask them why they do something what you hear is a tale about how the other person is at fault because they made them do it. We are all responsible for our own decisions.
Cracker - u know at some point its the only thing u can type
Cracker - your friend didn't leave me any other choice
Noel - hah. That is the path that leads down a sad sad life
Noel - so you planned to do it it was not just an impulse?
User1 - how bout a path to jail jail jail?
Cracker - u pissed noel? what the hell did u expect?
* Cracker is sorry he didn't do it in december
Noel - I think that you planned to do it anyway, that Admin1 was just the excuse. Is that right?
Cracker - i wouldnt have done it if he agreed to my demands
Noel - those were not demands they where just crap
Cracker - well you should probably thank me anyway, those disks needed
a major clean up :)
Noel - Tell me the truth if you have any in you... you just in it for the power trip right?
Cracker - noel the truth is i do what i say
Cracker - noel: and there is more damage that can be done :)
Noel - like what?
He continues by telling us how he was unfairly treated in our IRC and how this justified his revenge. Again it is not his fault we made him do it. He also makes some amazing statements such as asking us if we think we own this place. Why yes I guess we do.
Cracker - Admin1 you know i wanted to avoid the trouble and all that and i'd have even settled down for you staying around but just removing the cops from irc
Cracker - but u refused
Cracker - soooo... u want war... you got it
* Cracker is armed and dangerous
Noel - crap and more crap
Noel - you where planning this all along from when we came down in dec
Cracker - noel one way or another i aint leaving u alone while Admin1 is here.. and thats ur problem not mine
Noel - no it's your problem
Noel - but only one of many I am sure
Cracker - i was treated badly by the irc staff here 2 years ago.
Cracker - just tell me how pissed u are because of what was done? i couldnt care less
Cracker - who cared when i was banned from here etc?
Noel - heh no grudge just a power game
Admin1 - you were treated fairly
Cracker - i was NOT.
Cracker - who the fuck are you to judge me?
Cracker - u think u own this place?
Noel - after all your such a nice guy who would treat you bad
Cracker - my friends and i were treated unfairly
Noel - You don't like a place you leave not try to burn it down
Cracker - and the cop system is wrong
The cop system he is referring to is the IRC operator system. On our little IRC it had been formalized and had multiple layers of power. I personally thought that too many people did get a little power on IRC and then turn into little hitlers. Not that this excuses what the cracker did.
Cracker - its got to go
Cracker - and it will go
* Cracker has burned a lot of stuff in his time
As I have said as this went on I became more and more angry. At some point the conversation degenerated into name calling. I have skipped most of that.
Cracker - but i owned ur sorry ass for half a year
Noel - so what you had root big shit
Cracker - it's pretty big shit considering u didnt know about it
Noel - buy a linux cd then you can have root gosh
Cracker - lemme see u have root on my computer without me knowing... u wont laast even one minute
Cracker - lamer
Noel - oh man yeah that is hard to lock down a single user machine gosh that takes skill
Noel - you probable have to know how to use pico or something to do that
Cracker - i want u to DIE!
Cracker - and u will :)
Cracker - sooner or later
Cracker - heheheh
* Cracker fears noel's eleet /noexec skillz
USER2 - odd phonetic mispellings identifies Cracker as a member of the "eleet" underground.
Cracker - Y3a|-| 3Y3 aM a 31337 |-|@KK3R d00d!@#
Noel - oh what skill he has he knows the elite codes
Cracker - what does power mean if someone else gave it to u? nothing.
Cracker - i have the power cuz i have knowledge
Cracker - while u folks are just a bunch of clueless lamerz
Noel - but no one took our power gosh
Cracker - noel: not yet.
Noel - heh. You know I bet you are the saddest and most alone person here
This was one of the things that I wish I had not said. Not because it came back to haunt me but because I said it just to try to get at him to hurt him back in the only way I could and that is not the kind of person I want to be. Turning the other cheek can get very hard sometimes.
Admin1 - the lil prick finally showed himself for what he was when he started deleting our system
Admin1 - that is how he get is kicks
Cracker - but i bet i'm the smartest one too
Cracker - and the craziest
Cracker - so there
Noel - not crazy just sad
Cracker - noel what crap?
Cracker - or what was crap
Noel - all the crap you told me when you were pretending to be a skilled unix guy
Cracker - yeah noel i just fooled you! i'm really a lamer. no skillz at all
Cracker - i'm an 11 year old that gets his skriptz from www
Cracker - fear my 31337 altavista searching skillz.
Noel - he is so skilled that he talks in irc rather than having a job
Cracker - oh yeah i forgot all the eleet craquer typez get their infoz from bugtraq
I think that one of the reasons that I was so angry was that I had started liking the cracker when I had been talking to him before the second crack and the removal of all he could get at. I really had not believed that he would have done something like that and the truth did hurt. I could see myself if life had gone differently for me cracking some machines for the challenge and the excitement. To learn and become an expert. But I could not imagine trashing a machine like he had done.
Cracker - noel i really dont know what your doing in here. i got nothing against u, it's nothing personal u know
Noel - You know I had respect for you before you got destructive
Cracker - so you can say what ever, i'm just going to ignore you. i dont take stuff personally unless it hurts me.
Noel - But I have learned to my sadness that I was wrong about you
Noel - complete wrong.
Cracker - noel: i dont really care for your opinion on me
If there is a Denial of Service creed this might be it.
Cracker - i feel content when i can do a lot of damage with very little effort
Cracker - its like, i waste 10 hours, and make you folks waste 1000 hours for that
Cracker - it's pretty effective.
Noel - we are not wasting our time
Cracker - noel: you sure are. the system now is pretty much the same as before.you didn't learn anything.

One of the people that lost the most work in this is labeled in these conversations as Admin1. He had been working on a set of user help files and other things like this that had been in his home directory and were completely lost. He had been pretty upset and depressed by this loss and I am sure that the following conversation did not help.

Cracker - u should all thank me, the disks were full of useless shit from 4 years ago
Cracker - Admin1: your home directories were especially full of shit, i
trashed them first to make sure they were gone
Cracker - arent u proud of me?
Cracker - i looked at Admin1 files though.. they were shit
Cracker - hey btw... i made a backup of the home dirs of the staff on here a while back.. i can let u have some of the files back if u beg me
Admin1 - OK...I beg you to give me the help files back
Admin1 - satisfied?
Cracker - Admin1: i have those files
Cracker - :)
Admin1 - OK...I begged. now you do your part
Cracker - i think i even have them on my own computer... lemme check

Screen paste of list of files

Cracker - is that it Admin1?
Admin1 - yep ... appears to be
Cracker - i have it.
Cracker - u can try to haq me :)
Cracker - letz see how 31337 u r
Cracker - lets face it Admin1... u knew what was gonna happen if u didnt agree to any of my demands.... so dont blame me ok

After these series of conversations we just stopped hearing from the Cracker. It would have been a nicer end to have police kick in his door and arrest him. But when it comes down to it, there are lots of problems tracking people down over the net and convicting them of a crime. To email some script kiddie's provider and have his account turned off does not require the same levels of proof that the police are required to use to secure a conviction.

To the best of our knowledge he never cracked us again. In the very least if he did crack us he kept a low profile and did no noticeable damage. We did have a couple of smurf attacks that may have been from him but we were not sure.

If there was one lesson that I would highlight from all the lessons I learned from these events it would be that you must secure your own systems, police your own yard. If you do not then you are going to be cracked and once you are there may be nothing that you can do but start protecting yourself. The net is still a wild and unpoliced wilderness full of script kiddies and crackers.

Our content can be syndicated: Main page Mac Page

Copyright 1999-2005 Noel Davis. Noel also runs web sites about sailing and kayaking.
All trademarks are the property of their owners.
All articles are owned by their author