Team Swingr Whitepaper

roothack.org

by Team Swingr

Well, the grace period started and none of us could be on-line, so we had a late start right from the beginning. Eventually we got on, got ssh and downloaded a new kernel, and replaced /bin/login with a trojaned prog. BTW, we had Storm Linux running a 2.2.14 kernel (race exploit galore). As the night progressed, I got some shuteye and came back in a couple hours, discovering that I couldn't connect to my own box. A combination of a screwed up ip chains setup and the trojaned login lead to our downfall. We had to wait for Epic to get home from work the next day to get everything started, which was an hour before open session started. 
We frantically compiled a new kernel, which wouldn't even work, and we had a corrupted ettercap, so we coudln't even do any scanning until we re-downloaded it, which was too late anyway. We also didn't have the chance to upgrade stuff like our ftpd, so we were kidna standing with the doors wide open.
Immediately we discovered that someone had taken dragnet's account on acheron and had local accounts on our box. Being the newbies that we are, it took us a while to figure out how to disconnect users, and even then it was too late. One second we were going about our own business, the next we were disconnected and couldn't get back on. A simple port scan showed us that Zion had closed all ports but 1, which was awaiting a specific something...we were done :( Never even had a chance to start our own attacks.
-swingr