Re: Hacker in my computer

From: Bill Unruh (unruh@physics.ubc.ca)
Date: 12/29/01 

From: unruh@physics.ubc.ca (Bill Unruh)
Date: 29 Dec 2001 20:51:54 GMT

In <1ibX7.132853$KT.34509941@news4.rdc1.on.home.com> "OxyFx" <OxyFx@hotmail.com> writes:

]hi.

]It is a sad story, but a hacker got to my Linux server.

]First I noticed that the syslog is sending me error messages about not being
]able to write to some files.

]Then when I looked a little more carefully, there were to new users on my
]computer: dead (anarchee) and h.

]Some new directories under the /user/lib:

].egcs
] with new files like:
] apmd
] random_d.2
] sched_hosts.2
] sched_host.2.pub
] set_pid.2
] ssh
] sshd
] sshd_config

]also
].ss
] with new files like
] alpd.c
] cleaner
] dos
] fix
] imp
] juno
] parser
] test
] toolz.tgz

]By looking through these files, I can see, that someone is planning a
]serious attack initiated from my computer...

]the other problem is that the attacker killed my syslogd in the /sbin
]directory. When I try to delete it:

]rm: Remove write-protected file 'syslogd'? y
]rm: cannot unlink 'syslogd': Operation not permitted.

]Also whenever I reboot the computer there are two new proceses running:
]craca and another one. I killed the pid's.
]there is also a new 512 lenght file created with every reboot: s__r__s on
]the / directory.

]I locked down as much access I could but netstat shows an open port on
]1984 - I don't know anything about.

]Does someone has any idea what kind of exploit I whitnessed, and also if I
]have the IP of the attacker - where can I report it - but probably he is not
]doing it from his own computer, but from another victim like me....

]Any idea on how can I repair the damage?

Yes. Reinstall. Install all security patches. Scan for all suid or sgid files. replace ALL, yes ALL
passwords. In that order.

Relevant Pages

  • Re: Fw: Remote logging
    ... The attacker would have to cooperate by sending ... All I would want would be for syslogd on the client and server ... The secret is forgotten at the slightest ... tampering. ...
    (FreeBSD-Security)
  • Hacker in my computer
    ... First I noticed that the syslog is sending me error messages about not being ... the other problem is that the attacker killed my syslogd in the /sbin ... Also whenever I reboot the computer there are two new proceses running: ... have the IP of the attacker - where can I report it - but probably he is not ...
    (comp.os.linux.security)
  • Re: Hacker in my computer
    ... > It is a sad story, but a hacker got to my Linux server. ... > the other problem is that the attacker killed my syslogd in the /sbin ... > I have the IP of the attacker - where can I report it - but probably he ...
    (comp.os.linux.security)
  • Re: Hacker in my computer
    ... I was able to repair the Syslogd, ... ssh port, which I locked down from the firewall - however I still cannot ... > have the IP of the attacker - where can I report it - but probably he is ...
    (comp.os.linux.security)
  • Re: Hacker in my computer
    ... > It is a sad story, but a hacker got to my Linux server. ... > rm: cannot unlink 'syslogd': Operation not permitted. ... What does FAQ stand for? ...
    (comp.os.linux.security)