Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #23
| From | Andres <vandresv@gmail.com> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | My system was hacked...how? |
| Date | 2011-08-04 10:42 -0700 |
| Organization | http://groups.google.com |
| Message-ID | <429af088-6b92-455a-b27c-bfa2f132acae@h4g2000vbw.googlegroups.com> (permalink) |
Hello, One of my linux servers was hacked recently. I closed all connections to the offending IP (japan) and now I am looking at what happened. I found the following files on /dev/shm/tmp: binary executables: do and ss script: go I issued a "ldd do" and it is linked using libc.so.6 and ld-linux.so. 6. ss is not a dynamic executable (does that means that is statically linked?) Also a bunch of ascii files. Each one of those files containing a list of Ip addresses...a lot of them. go script: ./ss 5901 -a $1 -i eth1 -s 8 cat bios.txt | sort | uniq > $1.vnc ./do $1.vnc rm -rf bios.txt sh x pass script: ----- aloha delta alohaboh kyma pos -------------- Before I closed the connection I did a ps -ef and I got this: ./ss 5901 -a 209 -i eth1 -s 8 there were lots of traffic going to certain IP on japan listening in port 5901 at that moment. How can I detect what security breach was exploited on my system? Thank you very much, Adnres
Back to comp.os.linux.security | Previous | Next — Next in thread | Find similar
My system was hacked...how? Andres <vandresv@gmail.com> - 2011-08-04 10:42 -0700
Re: My system was hacked...how? Lusotec <nomail@nomail.not> - 2011-08-05 11:44 +0100
Re: My system was hacked...how? jmclnx@SPAMisBADgmail.com (Jack McCue) - 2011-08-05 12:47 +0000
csiph-web