[volunteergrid2-l] my server has been hacked
Brad Rupp
bradrupp at gmail.com
Wed Mar 7 21:35:29 UTC 2012
I would be curious to know if you figured out how they hacked you. That
is good information for all of us to know to make sure we don't have
similar holes.
Brad
On 3/6/2012 8:55 AM, sabotrax at gmail.com wrote:
> Hi all,
> it seems as if my server who is running tahoe has been hacked.
> i hate to say this, but i think the introducer furl has to be changed again.
>
> i just looked around my system when i saw a new dir "test" under
> "/home" that has been created on 2012/02/21.
> i then did:
>
> root at foo:/home# lsof |grep test
> bash 1458 test cwd DIR 0,18 460
> 6108855 /run/shm/ / /bot
> bash 1458 test rtd DIR 8,1 4096
> 2 /
> bash 1458 test txt REG 0,18 492135
> 6108126 /run/shm/ / /bot/bash
> bash 1458 test mem REG 8,1 79712
> 14811193 /lib32/libresolv-2.13.so
> bash 1458 test mem REG 8,1 46736
> 14811192 /lib32/libnss_files-2.13.so
> bash 1458 test mem REG 8,1 1532104
> 14811189 /lib32/libc-2.13.so
> bash 1458 test mem REG 8,1 22092
> 14811194 /lib32/libnss_dns-2.13.so
> bash 1458 test mem REG 8,1 126152
> 14811196 /lib32/ld-2.13.so
> bash 1458 test 0w REG 0,18 2153806
> 6108891 /run/shm/ / /bot/LinkEvents
> bash 1458 test 1u sock 0,7 0t0
> 85480587 can't identify protocol
> bash 1458 test 2u sock 0,7 0t0
> 85479769 can't identify protocol
> bash 1458 test 3u IPv4 6108142 0t0
> UDP *:49486
> bash 1458 test 4u sock 0,7 0t0
> 85481277 can't identify protocol
> bash 1458 test 5u sock 0,7 0t0
> 85698092 can't identify protocol
> bash 1458 test 6u sock 0,7 0t0
> 85498612 can't identify protocol
> bash 1458 test 7u sock 0,7 0t0
> 85576571 can't identify protocol
> bash 1458 test 8u sock 0,7 0t0
> 86667704 can't identify protocol
> bash 1458 test 9u sock 0,7 0t0
> 86667741 can't identify protocol
> bash 1458 test 10u sock 0,7 0t0
> 86669526 can't identify protocol
> bash 1458 test 11u sock 0,7 0t0
> 86669303 can't identify protocol
> bash 1458 test 12u sock 0,7 0t0
> 86671788 can't identify protocol
> bash 1458 test 13u sock 0,7 0t0
> 86670345 can't identify protocol
> bash 1458 test 14u IPv4 89167118 0t0
> TCP foo.cyberdeck.null:38455->161.53.178.240:ircd
> (SYN_SENT)
> bash 1458 test 15u sock 0,7 0t0
> 86671794 can't identify protocol
> bash 1458 test 16u sock 0,7 0t0
> 86707925 can't identify protocol
> bash 1458 test 17u sock 0,7 0t0
> 87574595 can't identify protocol
> bash 1458 test 18u IPv4 89167113 0t0
> TCP
> foo.cyberdeck.null:49523->173.245.201.28:afs3-fileserver (SYN_SENT)
> root at foo:/home# halt
> W: molly-guard: SSH session detected!
> Please type in hostname of the machine to halt: foo
>
> An alle Benutzer verteilte Nachricht von undo at foo
> (/dev/pts/0) um 16:24 ...
>
> Das System wird sich JETZT zum Anhalten herunterfahren!
>
> ---
>
> looks like my box has been a proud member of some botnet for the last two weeks.
> atm i really don't know how this could have happened. i just wanted to
> tell you guys as fast as possible.
>
> greetings,
> marcus
>
More information about the volunteergrid2-l
mailing list