Mailinglist Archive: opensuse (3666 mails)

< Previous Next >
Re: [SLE] My server got hacked? Anyoen seem this?
  • From: Henry Tang <henry@xxxxxxxxxxxxxx>
  • Date: Sun, 13 Mar 2005 21:06:26 -0600
  • Message-id: <4234FFB2.7030505@xxxxxxxxxxxxxx>

Only if you don't boot the machine again.

If rm -rf has been put into the init sequence (perhaps /etc/boot)
then by starting the machine again the rogue code will be started and do it's damage.

You can boot with knoppix and then mount your partitions and examine them for damage.
Did you install tripwire?



Tripwire looks like a pretty good software! So i still that after booting with knoppix?
I looked into my system and this is what I found and wonder.

Does this show that the email was sent by root?

H??Received: (from root@localhost)
by main.yucreation.com (8.11.6/8.11.6/SuSE Linux 0.5) id j2A9fEW12735
for Blondu@xxxxxxxx; Thu, 10 Mar 2005 03:41:14 -0600
H?D?Date: Thu, 10 Mar 2005 03:41:14 -0600
H?F?From: root <root>

I think the hack that sends out the email with shadow and passwd listing either has root access or shadow group access. Becuase according to this below it shows that only user of shadow or root can read the file. If the hacker has root, what is the purpose of getting the system config or shadow file via email.. I don't see a reason going through all that trouble. So must be user gdm.

shadow:x:15:root,gdm

-rw-r--r-- 1 root root 3102 Mar 11 03:49 passwd
-rw-r--r-- 1 root root 3102 Jan 5 23:26 passwd-
-rw-r--r-- 1 root root 2761 Oct 8 2003 passwd.bak
-rw-r--r-- 1 root root 2942 Nov 23 2003 passwd.old
main:/etc # ls -la | grep shadow
-rw-r--r-- 1 root shadow 772 Feb 9 15:35 group
-rw-r--r-- 1 root shadow 744 Oct 7 2003 group.bak
-rw-r----- 1 root shadow 765 Nov 7 2003 gshadow
-rw------- 1 root root 755 Nov 7 2003 gshadow-
-rw-r----- 1 root shadow 1859 Mar 11 04:26 shadow
-rw-r----- 1 root shadow 1819 Jan 12 12:07 shadow-
-rw-r----- 1 root shadow 1361 Oct 8 2003 shadow.bak
-rw-r----- 1 root shadow 1859 Mar 11 04:24 shadow.old

In the file listing like below.. It is open to anyone so that doesn't explain much. :9

===============================================================

Hacking Files..
/etc/opt/gnome/SuSE/Games/TacticStrategy/xnethack.desktop
/etc/opt/kde2/share/applnk/SuSE/Games/TacticStrategy/xnethack.desktop
/etc/X11/susewm/AddEntrys/SuSE/Games/Action/nethack.desktop
/etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/nethack.desktop
/etc/X11/susewm/AddEntrys/SuSE/Games/TacticStrategy/xnethack.desktop
/etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.-368.desktop
/etc/X11/susewm/AddEntrys/SuSE/Games/unspec/gnomehack.desktop
/home/choad/ftp/appz/Macromedia_Studio_MX/FreeHand/Goodies/Assets/Templates/WebS
ite Templates/Snake Shack.FT9
/home/henry/hacking
/home/henry/_desktop/replays/hacked.rep
/home/henry/_desktop/replays/hacked2.rep
/opt/gnome/share/gnome/distribution-menus/SuSE/Games/TacticStrategy/xnethack.des
ktop
/opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jl
/opt/gnome/share/sawfish/1.0/lisp/sawfish/wm/ext/3d-hack.jlc
/usr/games/nethack
/usr/games/nethack.d
/usr/games/nethack.d/nethack.qt

< Previous Next >
Follow Ups