On Mon, 29 Jul 2002 16:33:17 +0800 (PHT)
Pong <[EMAIL PROTECTED]> wrote:
> your box was hacked like mine and i got the privilege of
> recording the list of files that was installed (see below).
> i didnt do rootkit research but from the looks, i guessed it was an
> automatic exploit script.
By golly! You're right! I checked the files you noted and I found the same
thing:
# cat /dev/xmx
3 in.rexedcs
3 defauths dcs
3 defauths
3 rdcmound
3 rdcbac
3 w
3 s
3 psy
3 bot
3 scan
3 wus
3 klog
3 create
3 crush
3 snif
3 ras2xm
3 sourcemask
# cat /dev/xdta (NOTE: I x'ed out the IP addresses -- Manny)
1 194.xxx.xxx.xxx
1 194.xxx.xxx.xxx
1 194.xxx.xxx.xxx
1 194.xxx.xxx.xxx
1 194.xxx.xxx.xxx
1 hobbiton.org
2 hobbiton.org
3 59311
3 59388
3 31471
3 51211
3 51212
3 51213
3 51214
4 6660
4 6666
4 6667
4 6668
4 6669
4 7000
4 31337
4 5555
4 31336
I also did a "netstat -l" and noticed these suspicious entries:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:7102 *:* LISTEN
tcp 0 0 *:24374 *:* LISTEN
tcp 0 0 *:31336 *:* LISTEN
Why should my machine be listening on 6000, 7102, 24374, and 31336? And
some of these numbers are found in the hacker's log file!
What does one do now? Is it simply a matter of deleting these files? I've
changed passwords already.
Thanks! God bless!
-- [Manny Amador] ----------------------------- [[EMAIL PROTECTED]] --
Member: Philippine League for Democratic Telecommunications, Inc.
"Affordable Access for All!"
-- [Distributed Development Network (DDN)] ------- [www.distdev.com] --
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
