Hi all :-) First of all sorry for my english. 2 day ago a hacker crow (BALUARI TEAM) with brute forces programs has compromised my debian 7, changes root password and installed a rootkit.
last root pts/0 31.14.106.154 Mon Jul 1 12:28 - 12:28 (00:00) root pts/0 31.14.106.154 Mon Jul 1 09:43 - 09:45 (00:01) (for router problem I start my server 2 days ago) /var/log/syslog Jul 11 06:26:01 server5 /USR/SBIN/CRON[4522]: (root) CMD (/root/Agent/update >/dev/null 2>&1) Immediately I see by netstat a connection: tcp 0 0 0.0.0.0:34600 0.0.0.0:* LISTEN - and tcp 0 0 192.168.1.250:55834 173.230.241.139:6667 ESTABLISHED - this IP: 173.230.241.139 is a Romanian VPS server with IRC server and 3 channels I connect to this channel and I known staff of hackers. Today I done a backup of this script that contains a huge list of server compromised. Later I re-install whole system. Can be usuful send this rk? thanks Pol -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51e08b8c.9080...@fuckaround.org
