[volunteergrid2-l] my server has been hacked
Jody Harris
jharris at harrisdev.com
Wed Mar 7 22:23:23 UTC 2012
I would be interested in a forensic profile. To start with what OS were the
two hacked servers running at the time of the compromise.
thanks,
jody
----
Ph. 575-208-4567
- Think carefully.
On Wed, Mar 7, 2012 at 2:35 PM, Brad Rupp <bradrupp at gmail.com> wrote:
> I would be curious to know if you figured out how they hacked you. That
> is good information for all of us to know to make sure we don't have
> similar holes.
>
> Brad
>
> On 3/6/2012 8:55 AM, sabotrax at gmail.com wrote:
>
>> Hi all,
>> it seems as if my server who is running tahoe has been hacked.
>> i hate to say this, but i think the introducer furl has to be changed
>> again.
>>
>> i just looked around my system when i saw a new dir "test" under
>> "/home" that has been created on 2012/02/21.
>> i then did:
>>
>> root at foo:/home# lsof |grep test
>> bash 1458 test cwd DIR 0,18 460
>> 6108855 /run/shm/ / /bot
>> bash 1458 test rtd DIR 8,1 4096
>> 2 /
>> bash 1458 test txt REG 0,18 492135
>> 6108126 /run/shm/ / /bot/bash
>> bash 1458 test mem REG 8,1 79712
>> 14811193 /lib32/libresolv-2.13.so
>> bash 1458 test mem REG 8,1 46736
>> 14811192 /lib32/libnss_files-2.13.so
>> bash 1458 test mem REG 8,1 1532104
>> 14811189 /lib32/libc-2.13.so
>> bash 1458 test mem REG 8,1 22092
>> 14811194 /lib32/libnss_dns-2.13.so
>> bash 1458 test mem REG 8,1 126152
>> 14811196 /lib32/ld-2.13.so
>> bash 1458 test 0w REG 0,18 2153806
>> 6108891 /run/shm/ / /bot/LinkEvents
>> bash 1458 test 1u sock 0,7 0t0
>> 85480587 can't identify protocol
>> bash 1458 test 2u sock 0,7 0t0
>> 85479769 can't identify protocol
>> bash 1458 test 3u IPv4 6108142 0t0
>> UDP *:49486
>> bash 1458 test 4u sock 0,7 0t0
>> 85481277 can't identify protocol
>> bash 1458 test 5u sock 0,7 0t0
>> 85698092 can't identify protocol
>> bash 1458 test 6u sock 0,7 0t0
>> 85498612 can't identify protocol
>> bash 1458 test 7u sock 0,7 0t0
>> 85576571 can't identify protocol
>> bash 1458 test 8u sock 0,7 0t0
>> 86667704 can't identify protocol
>> bash 1458 test 9u sock 0,7 0t0
>> 86667741 can't identify protocol
>> bash 1458 test 10u sock 0,7 0t0
>> 86669526 can't identify protocol
>> bash 1458 test 11u sock 0,7 0t0
>> 86669303 can't identify protocol
>> bash 1458 test 12u sock 0,7 0t0
>> 86671788 can't identify protocol
>> bash 1458 test 13u sock 0,7 0t0
>> 86670345 can't identify protocol
>> bash 1458 test 14u IPv4 89167118 0t0
>> TCP foo.cyberdeck.null:38455->161.53.178.240:irc**d
>> (SYN_SENT)
>> bash 1458 test 15u sock 0,7 0t0
>> 86671794 can't identify protocol
>> bash 1458 test 16u sock 0,7 0t0
>> 86707925 can't identify protocol
>> bash 1458 test 17u sock 0,7 0t0
>> 87574595 can't identify protocol
>> bash 1458 test 18u IPv4 89167113 0t0
>> TCP
>> foo.cyberdeck.null:49523->173.245.201.28:afs**3-fileserver (SYN_SENT)
>> root at foo:/home# halt
>> W: molly-guard: SSH session detected!
>> Please type in hostname of the machine to halt: foo
>>
>> An alle Benutzer verteilte Nachricht von undo at foo
>> (/dev/pts/0) um 16:24 ...
>>
>> Das System wird sich JETZT zum Anhalten herunterfahren!
>>
>> ---
>>
>> looks like my box has been a proud member of some botnet for the last two
>> weeks.
>> atm i really don't know how this could have happened. i just wanted to
>> tell you guys as fast as possible.
>>
>> greetings,
>> marcus
>>
>> ______________________________**_________________
> volunteergrid2-l mailing list
> volunteergrid2-l at tahoe-lafs.**org <volunteergrid2-l at tahoe-lafs.org>
> http://tahoe-lafs.org/cgi-bin/**mailman/listinfo/**volunteergrid2-l<http://tahoe-lafs.org/cgi-bin/mailman/listinfo/volunteergrid2-l>
> http://bigpig.org/twiki/bin/**view/Main/WebHome<http://bigpig.org/twiki/bin/view/Main/WebHome>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://tahoe-lafs.org/cgi-bin/mailman/private/volunteergrid2-l/attachments/20120307/1980310c/attachment.html>
More information about the volunteergrid2-l
mailing list