Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #23
| Path | csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!goblin1!goblin.stu.neva.ru!postnews.google.com!h4g2000vbw.googlegroups.com!not-for-mail |
|---|---|
| From | Andres <vandresv@gmail.com> |
| Newsgroups | comp.os.linux.security |
| Subject | My system was hacked...how? |
| Date | Thu, 4 Aug 2011 10:42:41 -0700 (PDT) |
| Organization | http://groups.google.com |
| Lines | 45 |
| Message-ID | <429af088-6b92-455a-b27c-bfa2f132acae@h4g2000vbw.googlegroups.com> (permalink) |
| NNTP-Posting-Host | 66.229.123.50 |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=ISO-8859-1 |
| X-Trace | posting.google.com 1312480233 29814 127.0.0.1 (4 Aug 2011 17:50:33 GMT) |
| X-Complaints-To | groups-abuse@google.com |
| NNTP-Posting-Date | Thu, 4 Aug 2011 17:50:33 +0000 (UTC) |
| Complaints-To | groups-abuse@google.com |
| Injection-Info | h4g2000vbw.googlegroups.com; posting-host=66.229.123.50; posting-account=9nFbwwoAAACTebMGor4Y00IYC0AAyCPo |
| User-Agent | G2/1.0 |
| X-Google-Web-Client | true |
| X-Google-Header-Order | HUALESNKRC |
| X-HTTP-UserAgent | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0,gzip(gfe) |
| Xref | x330-a1.tempe.blueboxinc.net comp.os.linux.security:23 |
Show key headers only | View raw
Hello, One of my linux servers was hacked recently. I closed all connections to the offending IP (japan) and now I am looking at what happened. I found the following files on /dev/shm/tmp: binary executables: do and ss script: go I issued a "ldd do" and it is linked using libc.so.6 and ld-linux.so. 6. ss is not a dynamic executable (does that means that is statically linked?) Also a bunch of ascii files. Each one of those files containing a list of Ip addresses...a lot of them. go script: ./ss 5901 -a $1 -i eth1 -s 8 cat bios.txt | sort | uniq > $1.vnc ./do $1.vnc rm -rf bios.txt sh x pass script: ----- aloha delta alohaboh kyma pos -------------- Before I closed the connection I did a ps -ef and I got this: ./ss 5901 -a 209 -i eth1 -s 8 there were lots of traffic going to certain IP on japan listening in port 5901 at that moment. How can I detect what security breach was exploited on my system? Thank you very much, Adnres
Back to comp.os.linux.security | Previous | Next — Next in thread | Find similar
My system was hacked...how? Andres <vandresv@gmail.com> - 2011-08-04 10:42 -0700
Re: My system was hacked...how? Lusotec <nomail@nomail.not> - 2011-08-05 11:44 +0100
Re: My system was hacked...how? jmclnx@SPAMisBADgmail.com (Jack McCue) - 2011-08-05 12:47 +0000
csiph-web