Looks like someone does on my Debian GNU/Linux ipchains box… and that someone isn’t me 
For the non-technically inclined, that means my firewall got hacked.
This afternoon I logged in to kick off a photo thumbnailing and upload scripte I wrote. I’d noticed the box was running very slow, so I started to check things out. “df -h” showed the disks were more full than I’d remembered. Then the nasty evidence: “netstat -a” revealed dozens, if not hundreds of outgoing ssh connections. “ps axf” indicated that a root kit was installed, if only partially successful.
“/tmp/.src” was created, as the staging directory for root kit. “okas.tgz” showed up in come defunct “cp -f” processes and the binary “setpasswd” was replaced. If you hadn’t already guessed, my root password no longer works.
Perhaps most curious of all was the intruder created an account, “adam” and all this appears to have occurred today (October 3, 2004) at about 7:45am. Lucky thing I logged into, else my poor old p166 could’ve been a pawn in some black hat’s DDOS attack.
I’d been rooted before, about 4 years ago when we rented in the Issaquah Highlands. I had a similar firewall setup, but I’d since moved from Slackware to Debian and been much more aggressive about filtering rules and updating patches. I only had a few services listening: http, ssh and ftp. So one of those must have tipped over.
Linux had been my firewall of choice since 1998. Back then, having a 3 subnet router, with 2 fast ethernet and pcmcia wifi cards would’ve earned major geek bragging rights (they didn’t quite have wifi then, but I digress) and it was the only cheap way to connect more than 1 PC to a cable modem. Today you can almost get a “broadband router” free with a box of cereal. Perhaps this is a sign that I should give up running ipchains and spend my beer money on a router at Walmart.
On a happier note, here are some cute new baby photos. Who can stay pissed off after seeing baby pictures? 
