My Redhat 7.0 has been hacked, again! Help!

From: 7knots.com (sevenknots@shaw.ca)
Date: 12/31/01

  • Next message: Helmuth Kump: "Re: understanding chkrootkit: sshd section" 

    From: "7knots.com" <sevenknots@shaw.ca>
Date: Mon, 31 Dec 2001 10:53:30 GMT

    I had telnet & finger services running when this happened.
    Don't know how the hacker got in.
    He created a user "tty1" with uid:gid = 0:500
    touched /etc/passwd, /etc/group, /etc/shadow, /etc/gshadow and /etc/mtab
    Created a directory: "/dev/ /" (notice the two spaces between / /) which
    has four files in it: reaper2 (42k binary)
                                 mport (20k binary)
                                 clean (20k binary)
                                 reaper2.sh:
    =============================================
     #!/bin/sh
    echo "reaper2 timeout coded by TeKnICaL of Division7" echo "Enter ip of
    victum"
    read ip
    echo "Enter port of victum"
    read port
    echo "Enter timeoute"
    read timeoute
    echo "Enter number of proccesses"
    read number of proccesses
    echo "Enter time to kill proccess"
    read time
    ./reaper2 $ip $port $timeoute $number of proccesses &
    sleep $time
    killall -9 reaper2
    ====================================

    He redirected /usr/bin/grephistory and /usr/bin/makehistory to
    /dev/null
    edited the /etc/issue.net file such that, as of today, I can't even delete
    it! (even
    after reboot!) It shows the ownership of "root/root" all right. ???????
    He cleaned all /var/log files and their ownership carried root/stty1

    >From the Raman Noodle experience, it looks to me like a new worm attack.
    Can anyone of you help?! Thanks a lot.

    Tom Yang 

    --
--tom
www.7knots.com