[volunteergrid2-l] my server has been hacked

[sabotrax at gmail.com]

Hi all,
it seems as if my server who is running tahoe has been hacked.
i hate to say this, but i think the introducer furl has to be changed again.

i just looked around my system when i saw a new dir "test" under
"/home" that has been created on 2012/02/21.
i then did:

root at foo:/home# lsof |grep test
bash       1458       test  cwd       DIR               0,18      460
            6108855 /run/shm/   /   /bot
bash       1458       test  rtd       DIR                8,1     4096
                  2 /
bash       1458       test  txt       REG               0,18   492135
            6108126 /run/shm/   /   /bot/bash
bash       1458       test  mem       REG                8,1    79712
           14811193 /lib32/libresolv-2.13.so
bash       1458       test  mem       REG                8,1    46736
           14811192 /lib32/libnss_files-2.13.so
bash       1458       test  mem       REG                8,1  1532104
           14811189 /lib32/libc-2.13.so
bash       1458       test  mem       REG                8,1    22092
           14811194 /lib32/libnss_dns-2.13.so
bash       1458       test  mem       REG                8,1   126152
           14811196 /lib32/ld-2.13.so
bash       1458       test    0w      REG               0,18  2153806
            6108891 /run/shm/   /   /bot/LinkEvents
bash       1458       test    1u     sock                0,7      0t0
           85480587 can't identify protocol
bash       1458       test    2u     sock                0,7      0t0
           85479769 can't identify protocol
bash       1458       test    3u     IPv4            6108142      0t0
                UDP *:49486
bash       1458       test    4u     sock                0,7      0t0
           85481277 can't identify protocol
bash       1458       test    5u     sock                0,7      0t0
           85698092 can't identify protocol
bash       1458       test    6u     sock                0,7      0t0
           85498612 can't identify protocol
bash       1458       test    7u     sock                0,7      0t0
           85576571 can't identify protocol
bash       1458       test    8u     sock                0,7      0t0
           86667704 can't identify protocol
bash       1458       test    9u     sock                0,7      0t0
           86667741 can't identify protocol
bash       1458       test   10u     sock                0,7      0t0
           86669526 can't identify protocol
bash       1458       test   11u     sock                0,7      0t0
           86669303 can't identify protocol
bash       1458       test   12u     sock                0,7      0t0
           86671788 can't identify protocol
bash       1458       test   13u     sock                0,7      0t0
           86670345 can't identify protocol
bash       1458       test   14u     IPv4           89167118      0t0
                TCP foo.cyberdeck.null:38455->161.53.178.240:ircd
(SYN_SENT)
bash       1458       test   15u     sock                0,7      0t0
           86671794 can't identify protocol
bash       1458       test   16u     sock                0,7      0t0
           86707925 can't identify protocol
bash       1458       test   17u     sock                0,7      0t0
           87574595 can't identify protocol
bash       1458       test   18u     IPv4           89167113      0t0
                TCP
foo.cyberdeck.null:49523->173.245.201.28:afs3-fileserver (SYN_SENT)
root at foo:/home# halt
W: molly-guard: SSH session detected!
Please type in hostname of the machine to halt: foo

An alle Benutzer verteilte Nachricht von undo at foo
        (/dev/pts/0) um 16:24 ...

Das System wird sich JETZT zum Anhalten herunterfahren!

---

looks like my box has been a proud member of some botnet for the last two weeks.
atm i really don't know how this could have happened. i just wanted to
tell you guys as fast as possible.

greetings,
marcus

-- 
Give us this day our garlic bread and lead us not into vegetarianism
but deliver us some pizza.