Looks like I'm creamed here, people. I dont know what to do. The machine has been invaded by what seems to be a pro... first this guy in Finland mails me saying hes going to contact the authorities, and nobody was logged in by the time of the attempted invasion. I checked for files changed in the last 24 hrs, and there was a lot of files changed in /usr/doc/xv. I went ther to check it and there's this "hacking suite", lots of tcpip hacking software, folders with country names, each of them with huge log of possible exploits in a country. Example: server:/usr/doc/xv$ cd fi server:/usr/doc/xv/fi$ ls log mscan* server:/usr/doc/xv/fi$ cat log 194.100.45.125: VULN: runs /cgi-bin/test-cgi 194.251.147.2: VULN: runs /cgi-bin/test-cgi horus.co.jyu.fi: VULN: linux box vulnerable to named overflow. 192.130.143.16: VULN: redhat linux box running imapd. 195.74.10.2: VULN: runs /cgi-bin/test-cgi 195.148.66.242: VULN: runs /cgi-bin/test-cgi 194.251.147.2: VULN: runs /cgi-bin/test-cgi horus.co.jyu.fi: VULN: linux box vulnerable to named overflow. 192.130.143.16: VULN: redhat linux box running imapd. zeus.utanet.fi: VULN: linux box vulnerable to named overflow. 193.210.34.5: VULN: redhat linux box running imapd. 194.215.189.4: VULN: runs /cgi-bin/test-cgi 192.98.61.10: VULN: runs /cgi-bin/test-cgi 195.74.10.2: VULN: runs /cgi-bin/test-cgi Also in this directory there is a readme.txt file with a lot of FTP and Telnet sessions sniffed like this: server:/usr/doc/xv$ ls af/ ar/ aw/ hstsx* sl* uy/ ai/ as/ de/ pf2x* sm* ao/ at/ fi/ px* sx* aq/ au/ gox* readme.txt tp* server:/usr/doc/xv$ less readme.txt X.X.X.X=> X.X.X.X [23] #'ansiP!nailbomb <MY PASSWORD GOES HERE> lls cd /hgomme/fatman ls cd ftp ls cd gamez ls cd .. ls cd musicappz ld ls ----- [Timed Out] And also there's this mscan thingie running from /usr/sbin - probably whats generating the logs with possible hacks. I checked and this guy is logging in my box with his own login... though theres no entry in /etc/passwd with the name hes using. And if I try to login with that name, it closes connection instead of giving me the "login incorrect" message. What should I do? []s bernardo --------------------------------------------------------------------------- Bernardo Carvalho = Web Designer = [EMAIL PROTECTED] ICQ # 2136776 = http://i.am/nailbomb http://www.surfmotherfuckers.com.br --------------------------------------------------------------------------- "There's only one thing that I can do: ding a ding dang my dang a long ling long"
