On Saturday 27 July 2002 13:08, Joe & Sesil Morris (NTM) wrote:
I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows. PROMPT_COMMAND='pwd>&7;kill -STOP $$' cd "`echo -e '\057\150\157\155\145\057\152\157\145'`" <snip> Do any of you recognize these commands, and can tell me what they do? BTW, this is SuSE 8.0. I still haven't figured out how they got in. I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks.
It's not an intrusion, I see loads of messages like that too in my bashhistory on a 8.0 box which isn't connected directly to the internet, I haven't yet investigated it further but I think it's caused by mc (Midnight Commander), do you use that too? -- GertJan