How I found a hacker hiding in my Linux box

"Basically, you're stuffed." These were the words of my friend and colleague Mark Anderson - one of the smartest and most technologically literate people I know. At issue were a couple of other words I noticed while playing with my Linux computer. For the uninitiated, the Linux operating system, unlike a Windows or Mac machine, is often operated from a simple text interface called a command line. Linux lets you flip back through the most-recently typed commands as a convenience. As I was flipping one evening, I arrived at this line: [root@magellan /]# adduser bonez

The two words after the "#" form the command that instructs Linux to add a user to a system. Problem was, I don't know anybody named "bonez". And I didn't remember adding bonez to my computer's user list. Mark confirmed it: I'd been hacked.

I'm not much of a Linux expert. I am inordinately interested in computers and computing, but mostly, I stick to my Macintosh - the computer for "the rest of us". However, Linux, the free operating system, is one of the first fruits of a world that has recently become globally connected. So I bit the bullet, bought a cart full of parts and built my own Linux computer. It wasn't as hard as it sounds, and magellan.gulker.com (the machine's Internet hostname) has been up, and on the Net, ever since.

But using an advanced operating system that was created by and for the Mark Andersons of this world is another matter. Linux is as complex and non-intuitive as it is powerful. Despite recent, worthy attempts at making Linux more accessible, it remains fiendishly technical. My copy of Linux for Dummies is well-thumbed, but weeks go by without a log-in to the Linux machine. By me, anyway. However, that didn't seem to bother bonez. He was logging in just fine.

Mark gave me a few tips on how to become a Linux detective by reading log files. Linux records all sorts of information about what's happening in the system - it makes it easier for programmers to figure out what's going on. I dug into one of the many system logs that Linux maintains and found confirmation: Mar 2 14:45:37 magellan adduser[5279]: new user: name=bonez, uid=504, gid=504, home=/dev/.d, shell=/bin/bash

Well now, here I was being a veritable Tsutomu Shimomura hot on the trail of my own personal Kevin Mitnick. Shimomura tracked down Mitnick in 1995 in perhaps the most celebrated hacking event ever. Mitnick was only recently released from a United States federal prison.

The pursuit was on. The second line says that bonez had created a directory for himself called ".d" at 14:45 GMT. A directory is the Linux equivalent of a folder on a Mac or Windows machine and the period in front of the "d" meant that the directory would be invisible in a casual scan. Linux hides files whose names start with a period. Fiendish!

The directory was also tucked away in a funny place - "dev". Most users' files are kept in a directory called "home". A more revealing listing of bonez' directory presented the following: -rw------- 1 bonez bonez 129417 Mar 2 14:47 egg.config

-rwxr-xr-x 1 bonez bonez 491060 Nov 29 15:20 httpd

Now, it's taken me a while to make sense of Linux directory listings, and by this time I had a couple dozen sheets of log and directory printouts all over my desk. These are clearly bonez' files, as evidenced by the twin columns for owner of the files.

The actual filenames are the last words on each line. One that jumped out at me was "httpd", which is the Linux name for a web server program.

Why, I wondered, would bonez bother to upload his own copy of a web server, when every Linux distribution comes with the Apache web server built in? Then it hit me: maybe bonez was running his own web server on my machine. I quickly logged myself in as bonez and typed the Linux command "ps", which reveals which programs are currently running. Sure enough! Bonez had a httpd process, that's Linuxese for program, running.

Ohmigod! Was Bonez running a porn site on my computer, over my Net connection, using my domain name? Or worse, was he maybe auctioning credit card numbers from my machine? The file "egg.config" was a long list of things that appeared to be encrypted. Many lists of credit card numbers stolen from ISPs and others are stored in encrypted form.

I was getting really nervous. I quit bonez program. I changed his password. I e-mailed Mark for more advice, and included some of the evidence I'd turned up, hoping he'd render a verdict. Major porn ring? International credit-card runners? Something even worse?

Nope. I was being used to run something called "eggdrop", which is an Internet chat server favoured by hackers but banned by most ISPs. Mark explained: "He just uses you to bounce an Internet Relay Chat connection. You don't have enough bandwidth or disk space to be attractive to steal, and you aren't famous enough to be defaced.

Ouch. Excuse me, I have to quickly go along to Amazon.com for my copy of Maximum Security Linux!

cg@gulker.com

Comments