[lug] HACKED!

Matt Bidwell mbidwell at gmail.com
Mon Feb 27 13:23:01 MST 2012


My random guess is that even though you have turned off automatic
updates, it's still checking for them. Akami is a caching server.
Usually when you go to a well visited site, say, the google front
page, it's downloading it from a Akami server from your local ISP, as
opposed to going to a google datacenter.  Likely the same thing could
be happening with your updates, where a portion of the data is coming
from the local(isp) cache server and the other portion coming from the
actual originating sever (Suse/Nvidia).  The repo.md.xml looks Yum
related to me. Suse isn't my strong point though. I would run 'ps aux'
and start looking through the processes for suspicious processes.
Matt

On Mon, Feb 27, 2012 at 12:43 PM, philburt stortsky
<ppld.phil.stortz at hotmail.com> wrote:
> my machine has clearly been hacked and infected.  any help greatly
> appreciated.  I have a wireshark capture of my machine trying to access the
> akami ftp site when nothing other than wireshark was running!  additionally
> my machine is looking up downloads.suse.org  and the download.nvidiacom site
> every several minutes, again without any other activity.
>
> i'm running open suse 12.1, automatic updates is set to not check for
> updates.  packagekitd is also frequently running for no good reason, fairly
> alarming as it suggest someone has been futsing with my system.  what logs
> should i look at?  transmission is also randomly terminating without any
> notice of crash or any apparent reason further suggesting that someone wants
> bandwidth on my machine, most likely to steal files or run some sort of bot
> trying to attack other sites (as the akami ftp access suggest).  the akami
> ftp site is password protected for "anonymous" logins and my machine is
> responding with a password that seems to work specifically "yast at 10.x.x"
> where x is a number i've blanked out for obvious reasons.  Scary!
>
> on further examination of the wireshark capture my machine is entering the
> suse directory at the akami site (69.31.121.43) which is NOT from a dns
> query further suggesting a virus/bot infection since the ip address is
> obviously hard coded!  further after it succesfully logs into the akami site
> and changes directory a 951 byte file named "repo.md.xml" is being
> downloaded and then my system is logged out of the akami site.  very odd
> indeed!
>
> any one have any idea wtf is going on?  is this a virus/bot or strange
> behaviour somehow normal???
>
> this install has been running less than 1 month.  also experiancing apparent
> high load/delays randomly further suggesting a slow down but the task
> monitors etc. don't show any apps using a lot of cpu time.  i'ts a dual core
> athlon running at 3Ghz and usually fairly peppy.  also having dropouts in
> audio playing movies that go away later when playing the same file and have
> not occured before on at least 2 different players (vlc and caffeine, vlc
> has it's own codecs so it's not a codec issue).
>
> I have forwarded the wireshark capture to akami security of course.
>
> "The difference between genius and stupidity is that genius has it's
> limits"  Albert Einstein
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety



More information about the LUG mailing list