[lug] [clue] HACKED!

Simos blug at chinesetearoom.com
Mon Feb 27 13:26:13 MST 2012 

Most likely - 69.31.121.43 is an Akamai content distribution server:

32940.ftp.download.akadns.net. 144 IN   A       69.31.121.43

repomd.xml looks like a SUSE repository info file:

ftp://69.31.121.43/opensuse/12.1/repodata/repomd.xml

Don't know why it's looking for it if auto-updates are set to off,
but then again I'm a Debian user...

On Monday 27 February 2012 13:21 David L. Willson wrote:
> Could this be innocuous? Could it be that you're running [Open]SUSE, and your machine's trying to update itself? 
> 
> David L. Willson 
> Trainer, Engineer, Enthusiast 
> RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP 
> tel://720.333.LANS 
> Freedom is better when you earn it. Learn Linux. 
> 
> ----- Original Message -----
> 
> > my machine has clearly been hacked and infected. any help greatly
> > appreciated. I have a wireshark capture of my machine trying to
> > access the akami ftp site when nothing other than wireshark was
> > running! additionally my machine is looking up downloads.suse.org
> > and the download.nvidiacom site every several minutes, again without
> > any other activity.
> 
> > i'm running open suse 12.1, automatic updates is set to not check for
> > updates. packagekitd is also frequently running for no good reason,
> > fairly alarming as it suggest someone has been futsing with my
> > system. what logs should i look at? transmission is also randomly
> > terminating without any notice of crash or any apparent reason
> > further suggesting that someone wants bandwidth on my machine, most
> > likely to steal files or run some sort of bot trying to attack other
> > sites (as the akami ftp access suggest). the akami ftp site is
> > password protected for "anonymous" logins and my machine is
> > responding with a password that seems to work specifically
> > "yast at 10.x.x" where x is a number i've blanked out for obvious
> > reasons. Scary!
> 
> > on further examination of the wireshark capture my machine is
> > entering the suse directory at the akami site (69.31.121.43) which
> > is NOT from a dns query further suggesting a virus/bot infection
> > since the ip address is obviously hard coded! further after it
> > succesfully logs into the akami site and changes directory a 951
> > byte file named "repo.md.xml" is being downloaded and then my system
> > is logged out of the akami site. very odd indeed!
> 
> > any one have any idea wtf is going on? is this a virus/bot or strange
> > behaviour somehow normal???
> 
> > this install has been running less than 1 month. also experiancing
> > apparent high load/delays randomly further suggesting a slow down
> > but the task monitors etc. don't show any apps using a lot of cpu
> > time. i'ts a dual core athlon running at 3Ghz and usually fairly
> > peppy. also having dropouts in audio playing movies that go away
> > later when playing the same file and have not occured before on at
> > least 2 different players (vlc and caffeine, vlc has it's own codecs
> > so it's not a codec issue).
> 
> > I have forwarded the wireshark capture to akami security of course.
> 
> > "The difference between genius and stupidity is that genius has it's
> > limits" Albert Einstein
> > _______________________________________________
> > clue mailing list: clue at cluedenver.org
> > For information, account preferences, or to unsubscribe see:
> > http://cluedenver.org/mailman/listinfo/clue

More information about the LUG mailing list