[lug] [clue] HACKED!

Bear Giles bgiles at coyotesong.com
Mon Feb 27 13:33:04 MST 2012 

Could it be that auto-updates turn off the updates but not the
notifications of available updates?

I don't know how to do it in SuSE but in Debian and children all of the
information about where the package servers are located is in configuration
files and it's easy to only point to your own servers, or none at all.


On Mon, Feb 27, 2012 at 1:26 PM, Simos <blug at chinesetearoom.com> wrote:

> Most likely - 69.31.121.43 is an Akamai content distribution server:
>
> 32940.ftp.download.akadns.net. 144 IN   A       69.31.121.43
>
> repomd.xml looks like a SUSE repository info file:
>
> ftp://69.31.121.43/opensuse/12.1/repodata/repomd.xml
>
> Don't know why it's looking for it if auto-updates are set to off,
> but then again I'm a Debian user...
>
> On Monday 27 February 2012 13:21 David L. Willson wrote:
> > Could this be innocuous? Could it be that you're running [Open]SUSE, and
> your machine's trying to update itself?
> >
> > David L. Willson
> > Trainer, Engineer, Enthusiast
> > RHCE MCT MCSE Network+ A+ Linux+ LPIC-1 NovellCLA UbuntuCP
> > tel://720.333.LANS
> > Freedom is better when you earn it. Learn Linux.
> >
> > ----- Original Message -----
> >
> > > my machine has clearly been hacked and infected. any help greatly
> > > appreciated. I have a wireshark capture of my machine trying to
> > > access the akami ftp site when nothing other than wireshark was
> > > running! additionally my machine is looking up downloads.suse.org
> > > and the download.nvidiacom site every several minutes, again without
> > > any other activity.
> >
> > > i'm running open suse 12.1, automatic updates is set to not check for
> > > updates. packagekitd is also frequently running for no good reason,
> > > fairly alarming as it suggest someone has been futsing with my
> > > system. what logs should i look at? transmission is also randomly
> > > terminating without any notice of crash or any apparent reason
> > > further suggesting that someone wants bandwidth on my machine, most
> > > likely to steal files or run some sort of bot trying to attack other
> > > sites (as the akami ftp access suggest). the akami ftp site is
> > > password protected for "anonymous" logins and my machine is
> > > responding with a password that seems to work specifically
> > > "yast at 10.x.x" where x is a number i've blanked out for obvious
> > > reasons. Scary!
> >
> > > on further examination of the wireshark capture my machine is
> > > entering the suse directory at the akami site (69.31.121.43) which
> > > is NOT from a dns query further suggesting a virus/bot infection
> > > since the ip address is obviously hard coded! further after it
> > > succesfully logs into the akami site and changes directory a 951
> > > byte file named "repo.md.xml" is being downloaded and then my system
> > > is logged out of the akami site. very odd indeed!
> >
> > > any one have any idea wtf is going on? is this a virus/bot or strange
> > > behaviour somehow normal???
> >
> > > this install has been running less than 1 month. also experiancing
> > > apparent high load/delays randomly further suggesting a slow down
> > > but the task monitors etc. don't show any apps using a lot of cpu
> > > time. i'ts a dual core athlon running at 3Ghz and usually fairly
> > > peppy. also having dropouts in audio playing movies that go away
> > > later when playing the same file and have not occured before on at
> > > least 2 different players (vlc and caffeine, vlc has it's own codecs
> > > so it's not a codec issue).
> >
> > > I have forwarded the wireshark capture to akami security of course.
> >
> > > "The difference between genius and stupidity is that genius has it's
> > > limits" Albert Einstein
> > > _______________________________________________
> > > clue mailing list: clue at cluedenver.org
> > > For information, account preferences, or to unsubscribe see:
> > > http://cluedenver.org/mailman/listinfo/clue
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20120227/ffd59d24/attachment.html>

More information about the LUG mailing list