![](https://seccdn.libravatar.org/avatar/865139cb1b239f6afc11e348874d3259.jpg?s=120&d=mm&r=g)
Hello, I think it's a typical output through "Midnight Commander" and no hack. I also use the mc and when I walk through my history such lines appears. Greetings Mario
-----Original Message----- From: Joe & Sesil Morris (NTM) [mailto:Joe_Morris@ntm.org] Sent: Saturday, July 27, 2002 1:08 PM To: suse-security@suse.com Subject: [suse-security] [SLE] Security Help needed
I found out yesterday that our server has been intruded. The intruder even was able to su to root (according to the logs). They logged in via /dev/console, and via the bash history I was able to get the commands they typed in. They are as follows. PROMPT_COMMAND='pwd>&7;kill -STOP $$' cd "`echo -e '\057\150\157\155\145\057\152\157\145'`" cd "`echo -e '\057\150\157\155\145'`" cd "`echo -e '\057'`" cd "`echo -e '\057\166\141\162'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\154\151\145\ 156\164\155\161\165\145\165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\155\161\165\145\ 165\145'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\163\141\155\142\141'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\ 156\057\166\151\162\165\163\155\141\151\154\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\166\163\143\141\156'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154\057\143\165\160\163'`" cd "`echo -e '\057\166\141\162\057\163\160\157\157\154'`"
Do any of you recognize these commands, and can tell me what they do? BTW, this is SuSE 8.0. I still haven't figured out how they got in. I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks.
-- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here